Log4Shell CVE-2021-44248 Public Notification
Knowledge of a vulnerability in the longstanding, widely implemented java-based logging framework log4j has spread quickly throughout the internet. Included in many applications, multiple versions of this framework have a remote code execution vulnerability that is trivial to exploit and is currently undergoing malicious exploitation.
“Log4Shell” or CVE-2021-44248 has been designated a CVSS of 9.8/10.0, is trivial to exploit, requires no authentication and can execute code on any affected remote target.
This officially affects log4j versions between 2.0 and 2.14.1, however there have been unconfirmed reports of log4j 1.x versions also being affected.
Public exploitation is ongoing, threat actors are scanning and exploiting any affected devices they can contact. The scope of known affected products is growing as more information surrounding this issue and the legacy of log4j is uncovered.
The Center for Internet Security has defined the following risk profile:
Government:
- Large and medium government entities: High
- Small government entities: High
Businesses:
- Large and medium business entities: High
- Small business entities: High
- Home users: High
We strongly recommend upgrading to log4j-2.16.0 or later wherever possible.
Additionally, the below mitigations may be a valid option.
- Java 8 (or later) users should upgrade to release 2.16.0.
- Java 7 users should upgrade to release 2.12.2.
- Otherwise, in any release other than 2.16.0, you may remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Please refer to the Log4j documentation should mitigations be applied:
https://logging.apache.org/log4j/2.x/security.html
Apache have provided additional information, update, and mitigation guidance:
https://logging.apache.org/log4j/2.x/index.html
Further technical information and guidance can be found here: