Log4J "Log4Shell" Zero-Day Vulnerability: Impact and Fixes

A critical vulnerability has been discovered in Apache Log4J, the popular java open source logging library used in countless applications across the world. This vulnerability is being tracked as CVE-2021-44228 has been assigned a CVSS score of 10, the maximum severity rating possible.

Log4J versions 2.15.0 and prior are subject to a remote code execution vulnerability. At a minimum, FOSSA recommends upgrading to version 2.16.0 or higher to mitigate the critical RCE vulnerabilities.

To fix all notable vulnerabilities discovered in the last few weeks (including the DoS Vulnerability: CVE-2021-45105, which impacts 2.16.0), it's recommended to upgrade to 2.17.0 or higher. (The most recent version, 2.17.1, was released on Dec. 28.)


DOWNLOAD: The Log4Shell Remediation Guide


As per Apache security releases, Apache Log4J2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From Log4J 2.15.0, this behavior has been disabled by default. But, to reiterate, since additional vulnerabilities were discovered in the weeks following the original RCE disclosure, it's recommended to upgrade to 2.17.0 or higher.

Update: Please view our post "How to Fix the New Log4J DoS Vulnerability: CVE-2021-45105" for more information on the DoS vulnerability discovered on Dec. 17.

Impact of the Log4J Vulnerability

Logging untrusted or user-controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data provided in logged errors such as exception traces, authentication failures, and other unexpected vectors of user-controlled input.

Watch On-Demand: An Interactive Exploration of the Log4J Vulnerability

Affected Versions of Log4J

Any Log4J version prior to v2.15.0 is affected by this specific issue; however the initial patch in v2.15.0 introduced a new vulnerability, CVE 2021-45046. At a minimum, FOSSA recommends upgrading to version 2.16.0 or higher to mitigate the critical RCE vulnerabilities.

To fix all notable vulnerabilities discovered in the last few weeks (including the DoS vulnerability impacting 2.16.0), it's recommended to upgrade to 2.17.0 or higher.

Log4J Vulnerability Fixes

The original issue was fixed in Log4J v2.15.0, but it's strongly recommended that you upgrade to 2.17.0 or higher to address all notable vulnerabilities.

The Apache Logging Services team provides the following mitigation advice:

For vulnerable versions above or equal to v2.10, we recommend at least one of the following mitigations (adapted from the advice provided by the Apache Logging Services team).

Set configuration properties (log4j >=2.10):

  • System property LOG4J_FORMAT_MSG_NO_LOOKUPS to true
  • OR Environment variable log4j2.formatMsgNoLookups to true
  • Note: JNDI lookups are disabled by default in version 2.16.0 and newer

For releases from 2.0 to 2.10.0:

  • Remove the LDAP class from Log4J by running the following command: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  • Also remove: JndiManager, JMSAppender, SMTPAppender

Update: Mitigation via JVM settings is no longer possible. Other mitigation are still effective.

You can check for affected versions of Log4J by scanning your projects in FOSSA or manually checking for Log4J in projects pom.xml.

If possible, upgrade to Log4J version 2.17.0 or higher. If you are using Log4J v1, there is a migration guide available.

If upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set on both client- and server-side components.

Please note that Log4J v1 is End Of Life (EOL) and will not receive patches for this issue. Log4J v1 is also vulnerable to other RCE vectors and we recommend you migrate to Log4J 2.17.0 or higher where possible.

If you are not currently a FOSSA user and would like to get started with our Vulnerability Management Solution, please click here and fill out the form. Our team will then be in touch with you shortly.