Version 1.2 Published 1\/4\/2021 8:00AM [Added RCE risk for version 2.17 to New Information]<\/p>\n
Version 1.1 Published 12\/19\/2021 4:00PM [Added DDOS risk for version 2.16 to New Information]<\/p>\n
Version 1.0 Published 12\/17\/2021 12:00PM [Initial Publication]<\/p>\n
Summary:<\/strong> What should you be doing:<\/strong><\/p>\n New Information:<\/strong><\/p>\n Version 2.17 (And 2.12.3 for Java 7) and below, are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.\u00a0 This does not impact version 1.x. However, other critical vulnerabilities impact this version and should be mitigated. Version 2.17.1 (and 2.12.4 for Java 7) have been released to address this new flaw.<\/p>\n Version 2.16 (and 2.12.2 for Java 7) was found to be susceptible to uncontrolled recursion to self-referential lookups.\u00a0 This would allow an attacker to crash a running application as a form of denial of service.\u00a0 Version 2.17 (And 2.12.3 for Java 7) have been released to address the new flaws.\u00a0 The Log4J Security Page lists some possible mitigations, but upgrading is the preferred full mitigation.<\/p>\n Note: Previous workarounds involving configuration changes to affected versions are no longer sufficient.<\/p>\n Helpful links:<\/strong><\/p>\n
The Log4J vulnerability is a critical vulnerability that allows for Remote-Code-Execution on an impacted device.\u00a0 If any user-controlled input is sent to a vulnerable service, and logged, then that device can be forced to run any arbitrary code as the user of the impacted service.\u00a0 \u00a0Typical examples of malicious payload would be keyloggers, rootkits, and ransomware.\u00a0 Because this library is present in many commercial and home-grown applications it is critical to review\u00a0ALL<\/strong>\u00a0IT assets for this vulnerability.\u00a0 As new versions of these exploits are discovered, the mitigations and list of impacted products are constantly changed, so IT staff must monitor and adapt to the changing threat landscape.<\/p>\n\n
\n
\n
\n
\n