tencent cloud

On December 17, 2021, Tencent Cloud Security Operations Center noticed that Apache Log4j's fix for CVE-2021-44228 was incomplete in non-default configurations, so the vulnerability could be exploited by attackers to launch remote code execution attacks in some special configuration scenarios.

To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers.

Vulnerability Details

Apache Log4j 2 is an open-source logging component as the upgrade of Apache Log4j. It controls the output format of each log and allows you to define the level of each log to control the log generation process in a more refined manner.

After disclosing the severe RCE vulnerability CVE-2021-44228 on December 9, 2021, Apache Log4j recently disclosed another RCE vulnerability CVE-2021-45046, whose severity increased from CVSS 3.7 to CVSS 9.0. This vulnerability is caused by the incomplete fix for CVE-2021-44228 in non-default configurations. In certain scenarios such as thread context search mode, attackers can construct specific requests to execute code remotely.

This vulnerability also affects a high number of universal applications and components around the globe, such as:
Apache Struts 2
Apache Solr
Apache Druid
Apache Flink
Apache Dubbo
Apache Kafka
Spring-boot-starter-log4j2
Elasticsearch
Logstash
…
We recommend you check and upgrade all systems or applications that use the Log4j component in time.

Risk Level

High (CVSS score: 9.0)

Vulnerability Risk

This vulnerability may be exploited by attackers to remotely execute arbitrary code.

Affected Versions

2.0-beta9 ≤ Apache Log4j 2.x < 2.16.0 (excluding 2.12.2)

Safe Versions

• Apache Log4j 2.16.0 (Java 8)
• Apache Log4j 2.12.2 (Java 7)

Suggestions for Fix

We recommend you conduct internal inspections to check whether your business applications use the Apache log4j-core JAR package. If the dependency is introduced and the Log4j version is among the affected versions, the vulnerability may affect your business, and you can take the following measures:

Note：

Back up your data before upgrading to avoid accidental losses.

Upgrading to latest official version (recommended)

Currently, officially fixed versions have been released. You can upgrade the component or update the code to this version.

• If you use Java 8, upgrade to Apache Log4j 2.16.0.
• If you use Java 7, upgrade to Apache Log4j 2.12.2.

Using other protection solutions

1. If you cannot upgrade the version currently, we recommend you run the following command to remove the JndiLookup class file from the log4j-core package and restart the service:

   zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
   

2. Use a security group or firewall to restrict the affected applications from accessing the internet.

References

For more information, see Apache Log4j Security Vulnerabilities.