Security Advisory on Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)

On December 10th, 2021, the Alibaba Cloud Security Team found that the vulnerability is still present in Apache Log4j2 2.15.0-rc1, which is the version recommended by Apache for fixing the vulnerability. We recommend that users upgrade Apache Log4j2 to version 2.15.0 to mitigate the effects of this vulnerability.

Timeline:
--On December 9th, 2021, the Alibaba Cloud Security Team reported an Apache Log4j2 remote code execution (RCE) vulnerability (CVE-2021-44228).
--On December 10th, 2021, the Alibaba Cloud Security Team found that the vulnerability is still present in Apache Log4j2 2.15.0-rc1, which is the version recommended by Apache for fixing the vulnerability. We recommend that users upgrade Apache Log4j2 to version 2.15.0 or higher to mitigate the effects of this vulnerability.
--On December 15th, 2021, the Alibaba Cloud Security Team upgrade security advisory, add the Apache Log4j2 security version 2.12.2.

Description:
Apache Log4j2 uses recursive resolution in some functions. Attackers can construct malicious requests to exploit the vulnerability. As verified by the Alibaba Cloud Security Team, this vulnerability affects Apache Struts 2, Apache Solr, Apache Druid, and Apache Flink. On December 10th, 2021, the Alibaba Cloud Security Team found that the vulnerability is still present in Apache Log4j2.15.0-rc1. Alibaba Cloud emergency response center recommends that users upgrade Apache Log4j2 to 2.15.0 or later versions at their earliest opportunity to mitigate the impacts of this vulnerability.

Severity: Critical

Versions affected:
Apache Log4j2 of versions from 2.0.0 and before 2.15.0.
Note: Apache Log4j 1.x versions are not affected by this vulnerability.

Suggestions:

1. Check whether the Apache Log4j2 core JAR package is introduced into the application. If there is dependency introduction and it is within the affected version range, there may be a vulnerability. Please upgrade all Apache Log4j2 related applications to the latest Log4j2-2.15.0 as soon as possible. You can download the latest Log4j2-2.15.0 at this URL: https://logging.apache.org/log4j/2.x/download.html..
2. Check whether your application uses the Apache Java 8, upgrade Apache Log4j2 to version 2.16.0.
3. Check whether your application uses the Apache Java 7, upgrade Apache Log4j2 to version 2.12.2.
4、If you are not able to upgrade the new java version, then it is suggested to delete the JndiLookup. You can use the command: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
5、Upgrade known applications and components that are affected by the vulnerability, such as spring-boot-starter-log4j2, Apache Struts 2, Apache Solr, Apache Druid, and Apache Flink.
6、Reference for other temporary mitigation plans: https://logging.apache.org/log4j/2.x/security.html. As there are higher versions applicable, we strongly recommend that users do not use temporary mitigation plans.
References:
1. https://logging.apache.org/log4j/2.x/security.html
2. https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
3. https://avd.aliyun.com/detail?id=AVD-2021-920285

Alibaba Cloud security products can protect you from such vulnerabilities:

Web Application Firewall is able to protect against such vulnerabilities and provides 7-day free vulnerability emergency service to strive for vulnerability repair time for you. Application address: https://www.alibabacloud.com/campaign/free-attack-support.

If you have any questions, please feel free to contact us by submitting a ticket any time.

Alibaba Cloud Emergency Response Center
December 10th, 2021