[Vulnerability] - (CVE-2021-44228 or CVE-2021-45046) - RCE vulnerability in Apache Log4j 2 - Enterprise Distributed Application Service

A critical remote code execution (RCE) vulnerability is identified in Apache Log4j 2. Applications in which Apache Log4j 2 is deployed pose high security risks. To prevent unexpected loss caused by the vulnerability, we recommend that you update your applications at the earliest opportunity.

Timeline

On December 9, 2021, the Alibaba Cloud security team released the CVE-2021-44228 security notice about the RCE vulnerability in Apache Log4j 2.
On December 10, 2021, the Alibaba Cloud security team released an update to fix the vulnerability. We recommend that you update Apache Log4j 2 to Apache Log4j 2.15.0 or later to fix the vulnerability.
On December 15, 2021, the Alibaba Cloud security team released an update to fix the vulnerability. We recommend that you update Apache Log4j 2 to Apache Log4j 2.16.0 to fix the issue. If you use Apache Log4j 2.12.2, you do not need to perform any updates.

Vulnerability description

Apache Log4j 2 is a popular Java-based logging framework. On November 24, 2021, the Alibaba Cloud security team reported an RCE vulnerability of Apache Log4j 2 to Apache. Due to recursive resolution in some features of Apache Log4j 2, attackers can send malicious requests to trigger the RCE vulnerability. The Alibaba Cloud security team verified that the vulnerability affects various Apache services, such as Apache Struts 2, Apache Solr, Apache Druid, and Apache Flink.

Vulnerability severity

CVE-2021-44228 RCE vulnerability in Apache Log4j 2: critical.
CVE-2021-45046 Apache Log4j DoS and RCE vulnerability in Apache Log4j 2: critical.

Affected users

All users who use Apache Log4j 2.0.0 to 2.15.0, including 2.15.0-rc1.

Fixes

We recommend that you update Apache Log4j 2 to Apache Log4j 2.15.0 at the earliest opportunity. For more information, see Download Apache Log4j 2.
Update all applications and components that are affected by the vulnerability to the latest versions. The applications and components include spring-boot-starter-log4j2, Apache Struts 2, Apache Solr, Apache Druid, and Apache Flink.
Work around the vulnerability. We recommend that you update your JDK to 6u211, 7u201, 8u191, 11.0.1, or later. This update helps reduce the possibility of Java Naming and Directory Interface (JNDI) vulnerability exploitation. If you use Log4j 2 whose version is later than 2.10, you can set the log4j2.formatMsgNoLookups parameter to True or remove the JndiLookup class from classpath. For example, you can run the zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class command to remove the JndiLookup class.

References

If the vulnerability of your applications fails to be fixed or vulnerability fixes cannot be verified in a timely manner, we recommend that you activate and use Application Real-Time Monitoring Service (ARMS) at the earliest opportunity. ARMS is developed based on the Runtime Application Self-Protection (RASP) technology and can protect your applications against attacks. For more information about ARMS, see What is Application Security?.