CVE-2021-44228 Zero-day vulnerability description and mitigations
A Zero Day vulnerability in Apache Log4j java logging library has been disclosed publicly on December 9, 2021. This vulnerability is present in versions greater or equal to 2.0.0 and prior to version 2.15.0 (version 2.15.0 is not vulnerable). An attacker who can control log messages and log parameters can use a JNDI LDAP endpoint to remotely execute arbitrary code on the server.
Versions 1.x of log4j are vulnerable only if a JMS Appender is present in the configuration.
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to true, or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Source
Who is affected
This vulnerability is exploitable if:
- The attacker has access to a public endpoint of your application using any protocol (HTTP, TCP, etc).
- Can control log statements on the end point.
It does affect the following versions of log4j:
- Versions greater or equal to 2.0.0 but lower than version 2.15.0 (>= 2.0.0 and < 2.15.0).
- Versions 1.x are vulnerable only in the presence of a JMS Appender.
There are a few possible mitigations depending on your situation.
Upgrade log4j version
If you are using a version lower than 2.15.0 of log4j you can choose to upgrade your current version. This is the safest solution especially when you are using a 2.x version because the upgrade is minor in this case. Upgrade of versions 1.x may require more effort but please note that Log4j 1.x had reached its end of life On August 5, 2015.
You cannot upgrade log4j version
If you are using version >=2.10 and <= 2.14.1 of log4j, the mitigation can be done by setting one of the two following properties to true :
- System property log4j2.formatMsgNoLookups
- Environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS
If you are using version >=2.0-beta9 and <=2.10.0 of log4j. You can remove JndiLookup class from JVM’s classpath. This can be done using the following command :
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Some sources state that Java 8u121 protects against remote code execution by setting the JVM properties "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false.". However the best mitigation is to upgrade log4j version.