Alibaba Cloud Computing Co., Ltd. recently discovered a remote code execution (RCE) vulnerability in Apache Log4j2 and reported this vulnerability to Apache.

For more information about the vulnerability, see Alibaba Cloud Statement on the Impact Assessment of Apache Log4j2 RCE Vulnerability (CVE-2021-44228).

You can connect an application to the application security feature and enable the protection to monitor and block attacks such as remote command execution during runtime and report them. For more information, see Access application security. After you connect an application to the application security feature, the feature identifies and reports an attack event when the application is attacked by a Log4j2 remote code execution vulnerability. On the following pages of the application security feature, you can view Apache Log4j2 vulnerability information.

  • Log on to the ARMS console. In the left-side navigation pane, choose Application Security > Attack Statistics.

    If Apache Log4j2 attacks occur, you can view the data of Apache Log4j2 attacks on the Attack Statistics page.

    Apache Log4j 2 attacks
  • Log on to the ARMS console. In the left-side navigation pane, choose Application Security > Risky Component Detection.

    The Risky Component Detection tab displays the Apache Log4j2 vulnerabilities that are automatically detected by the application security feature and suggestions to fix the vulnerabilities.

    Note The risky component detection feature automatically analyzes the associated CVE vulnerability library and provides repair suggestions for third-party component dependencies.
    Risky component detection for Log4j 2 attacks
  • Log on to the ARMS console. In the left-side navigation pane, choose Application Security > Risky Component Detection. Click the Full Component Auto-check tab.

    The Full Component Auto-check tab allows you to check whether all connected applications contain components with Log4j2 attacks and determine versions of the components.

    Full component auto-check for Log4j 2 attacks

In the alert rule, you can specify the methods to receive alert notifications such as SMS, DingTalk, and email. For more information about how to create an alert rule, see Use Application Security alert rules.

By default, Protection Mode of the application security feature is set to Monitor. We recommend that you change it to Monitor and Block after a period of observation. When an attack occurs, the application security feature can directly block it to ensure the normal operation of the application. For more information about how to change Protection Mode, see Set prevention mode.