Log4Shell CVE-2021-44248 Public Notification | Daisy UK

Log4Shell CVE-2021-44248 Public Notification

10th December 2021

Knowledge of a vulnerability in the longstanding, widely implemented java-based logging framework log4j has spread quickly throughout the internet. Included in many applications, multiple versions of this framework have a remote code execution vulnerability that is trivial to exploit and is currently undergoing malicious exploitation.

“Log4Shell” or CVE-2021-44248 has been designated a CVSS of 9.8/10.0, is trivial to exploit, requires no authentication and can execute code on any affected remote target.

This officially affects log4j versions between 2.0 and 2.14.1, however there have been unconfirmed reports of log4j 1.x versions also being affected.

Public exploitation is ongoing, threat actors are scanning and exploiting any affected devices they can contact. The scope of known affected products is growing as more information surrounding this issue and the legacy of log4j is uncovered.

The Center for Internet Security has defined the following risk profile:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High
  • Home users: High

We strongly recommend upgrading to log4j-2.16.0 or later wherever possible.

Additionally, the below mitigations may be a valid option.

  • Java 8 (or later) users should upgrade to release 2.16.0.
  • Java 7 users should upgrade to release 2.12.2.
  • Otherwise, in any release other than 2.16.0, you may remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Please refer to the Log4j documentation should mitigations be applied:

https://logging.apache.org/log4j/2.x/security.html

 

Apache have provided additional information, update, and mitigation guidance:

https://logging.apache.org/log4j/2.x/index.html

Further technical information and guidance can be found here:

https://www.ncsc.gov.uk/news/apache-log4j-vulnerability

https://nakedsecurity.sophos.com/2021/12/10/log4shell-java-vulnerability-how-to-safeguard-your-servers/