tencent cloud

On December 9, 2021, Tencent Cloud Security Operations Center noticed that a severe code execution vulnerability (CVE-2021-44228) in Apache Log4j 2 was disclosed. Currently, Log4j 2 has released an official security announcement and safe version. Once the vulnerability is exploited, problems such as server intrusion can occur.

To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers.

Vulnerability Details

Apache Log4j 2 is a widely used open-source logging component. It substitutes for print statements such as System.out in projects and is the most popular logging tool in Java.

If Log4j 2 is used to process malicious data in certain scenarios, malicious code may be injected and executed.

Log4j 2 is used by many Java frameworks and applications as a third-party basic logging library. Your business may be attacked through this vulnerability if it uses Log4j 2 to output logs and the log content can be partially controlled by attackers. Therefore, this vulnerability also affects a high number of universal applications and components around the globe, such as:
Apache Struts 2
Apache Solr
Apache Druid
Apache Flink
Apache Flume
Apache Dubbo
Apache Kafka
Spring-boot-starter-log4j2
Elasticsearch
Logstash
…
We recommend you check and upgrade all systems or applications that use the Log4j component in time.

Risk Level

High Risk

Vulnerability Risk

This vulnerability may be exploited by attackers to remotely execute arbitrary code.

Affected Versions

Apache Log4j 2.0–2.14.1

Safe Versions

Apache Log4j 2.16.0

Suggestions for Fix

Upgrading to latest official version (recommended)

The current latest official version is log4j-core-2.16.0. You can upgrade the component or update the code to this version.

Disabling lookup feature in Log4j

Disabling in configuration file (recommended)

Add the following content to the log4j2.component.properties configuration file (if it doesn't exist, manually create one) in classpath of Log4j 2.9.1 or later:

log4j2.formatMsgNoLookups=True
log4j.formatMsgNoLookups=True

Disabling through JVM parameter configuration (not recommended as the configuration can be easily lost)

Add -Dlog4j2.formatMsgNoLookups=true and -Dlog4j.formatMsgNoLookups=true to the JVM startup parameters.

Note：

For versions 2.0–2.10, you should upgrade them to 2.10 or later first and then add JVM parameters.

Upgrading JDK to later versions (recommended)

As JDK on a later version has some security limits, we recommend you upgrade JDK to 6u211, 7u201, 8u191, or 11.0.1 or later. This can block vulnerability exploit methods such as JNDI to a certain extent.

Other temporary mitigation measures

You can use a firewall or security group to prohibit relevant applications and businesses from actively connecting to the public network.

Tencent Security Solution

Tencent Cloud WAF can detect and block attacks exploiting the Log4j 2 RCE vulnerability.

References

For more information, see Apache Log4j Security Vulnerabilities.