Apache Log4j2 has a remote code execution vulnerability (CVE-2021-44228). Apache Log4j2 processes user input during log processing. Attackers can construct special requests to trigger remote code execution. The POC has been disclosed and the risk is high.

On December 16, 2016, Apache Log4j2 team has disclosed that versions earlier than 2.16.0 had a remote code execution vulnerability (CVE-2021-45046) in addition to the DoS vulnerability.

Apache Log4j2 is a widely used Java-based logging utility. If you are an Apache Log4j2 user, check your system and implement timely security hardening.

Reference: Apache Log4j Security Vulnerabilities

Severity: important

(Severity: low, moderate, important, and critical)

Affected versions:

2.0-beat9 <= Apache Log4j 2.x < 2.16.0 (Version 2.12.2 is not affected.)

Upgrade affected applications and components, such as spring-boot-starter-log4j2, Apache Solr, Apache Flink, and Apache Druid.

Secure versions:

Apache Log4j 1.x is not affected.

Apache Log4j 2.16.0

This vulnerability has been fixed in the official version. Upgrade all applications related to Apache Log4j2 to a secure version as soon as possible.

Link: https://logging.apache.org/log4j/2.x/download.html

ava 8 (or later) users should upgrade to release 2.16.0.

Java 7 users should upgrade to release 2.12.2.

If the upgrade cannot be performed in a timely manner, run the following command to remove the JndiLookup class from the classpath：zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. Then, restart the service.

Get more professional support at any time

Contact Us