On December 29, 2021, Tencent Cloud Security Operations Center noticed that Apache Log4j 2 announced that there was a remote code execution vulnerability (CVE-2021-44832) in some special scenarios. The vulnerability is hard to exploit, as attackers can remotely execute arbitrary code only if they have permissions to modify the configuration file.
To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers.
Vulnerability Details
Apache Log4j 2 is an open-source Java-based logging framework. As an upgraded version of Log4j 1.x, it rewrites the Log4j framework and introduces various new features, making it widely suitable for logging in the development of many business systems.
As described by Apache, attackers with permissions to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code
As this vulnerability requires that attackers have the permission to modify configuration files (which usually can be implemented only through other vulnerabilities) and doesn't exist in the default configuration, it is hard to exploit.
Risk Level
Medium.
Vulnerability Risk
This vulnerability may be exploited by attackers to remotely execute arbitrary code.
Affected Versions
2.0-beta7 ≤ Apache Log4j 2.x < 2.17.0 (excluding 2.3.2 and 2.12.4)
Safe Versions
Apache Log4j 2.x ≥ 2.3.2 (Java 6)
Apache Log4j 2.x ≥ 2.12.4 (Java 7)
Apache Log4j 2.x ≥ 2.17.1 (Java 8 or later)
Suggestions for Fix
Currently, an official safe version of Apache Log4j 2 has been released. You can update to it as instructed in Download Apache Log4j 2. Note:
Back up your data before upgrading to avoid accidental losses.
Tencent Security Solution
Tencent Cloud NTA rule libraries released after December 29, 2021 support detecting the Log4j 2 RCE vulnerability CVE-2021-44832.
References