There is a new zero-day vulnerability for the Apache Log4j Java library, and it is being actively attacked right now. The bug, now tracked as
CVE-2021-44228 and dubbed Log4Shell or LogJam, is an unauthenticated RCE vulnerability allowing complete system takeover on systems with Log4j 2.0-beta9 up to 2.14.1. There are many applications this can and will affect, from a variety of open source projects to vendor supplied solutions.
Here are some of the major Apache frameworks that are affected by this exploit. Many applications make use of these frameworks as well as many just make use of the log4shell log tool.
- Apache Struts2
- Apache Solr
- Apache Druid
- Apache Flink
Currently there are some mitigations that can be used. So seek out assistance for any vendor-supported applications you are running. There is also a thread discussing mitigations for this issue.
We are advising our customers to look into what java-based applications are affected in your environment, starting with anything that is internet facing. This Zero is actively being attacked right now.
Current recommendations (as of Dec 20) are:
- log4j v1: Version 1.x of log4j is vulnerable to RCE attacks (like CVE-2019-17571), and if you’re using it you need to migrate to 2.17.0
- log4j v2.x: External systems with log4j v.2.16 or less should be prioritized first, but all impacted systems should migrate to 2.17.0. Version 2.16.0 appears to resolve the RCE exploits, but is vulnerable to a new DoS attack.
- Can’t update? Additional mitigations include removal/disabling of Log4J, deploy a WAF, network isolation, and configuration changes depending on the software and vendor recommendations. See sources below for additional information or check vendor websites for specific software recommendations.
- Sources for these recommendations:
Listed below are some additional informational links:
- CISA Mitigation Options – https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures.
- Suggestions from Apache – https://logging.apache.org/log4j/2.x/security.html
Regarding OneNeck Systems
Regarding OneNeck’s systems, no immediate threat has been detected, but our teams are actively reviewing the situation to determine any impact on our products and partners.