1.  Home
  2. MIDRANGE-L
  3. December 2021

CVE-2021-44228 log4j2 mitigation -- Apache Says This

*From https://logging.apache.org/log4j/2.x/security.html
<https://logging.apache.org/log4j/2.x/security.html>Scroll to paragraph
CVE-2021-44228*

Note that previous mitigations are proven ineffective!
Fixed in Log4j 2.15.0 CVE-2021-44228

CVE-2021-44228
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>: Apache
Log4j2 JNDI features do not protect against attacker controlled LDAP and
other JNDI related endpoints.

Severity: Critical

Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0
through 2.14.1
Description

In Apache Log4j2 versions up to and including 2.14.1 (excluding security
release 2.12.2), the JNDI features used in configurations, log messages,
and parameters do not protect against attacker-controlled LDAP and other
JNDI related endpoints. An attacker who can control log messages or log
message parameters can execute arbitrary code loaded from LDAP servers when
message lookup substitution is enabled.
Mitigation

*Log4j 1.x mitigation*: Log4j 1.x does not have Lookups so the risk is
lower. Applications using Log4j 1.x are only vulnerable to this attack when
they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has
been filed for this vulnerability. To mitigate: audit your logging
configuration to ensure it has no JMSAppender configured. Log4j 1.x
configurations without JMSAppender are not impacted by this vulnerability.

*Log4j 2.x mitigation*: Implement one of the mitigation techniques below.

- Java 8 (or later) users should upgrade to release 2.16.0.
- Users requiring Java 7 should upgrade to release 2.12.2 when it
becomes available (work in progress, expected to be available soon).
- Otherwise, remove the JndiLookup class from the classpath: zip -q -d
log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR
file are not impacted by this vulnerability.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.