Apache has released version 2.16.0, which completely removes support for Message Lookups and disables JNDI by default. CrowdStrike has identified a malicious Java class file hosted on infrastructure associated with a nation-state adversary. The Java code is used to download known instances of adversary-specific tooling and is likely to be used in conjunction with the recently disclosed Log4Shell exploit (CVE-2021-44228).

On December 10th, 2021, the National Vulnerability Database (NVD) published the CVE-2021-44228 documenting a vulnerability in the Apache log4j library Java Naming and Directory Interface (JNDI) lookup feature allowing for remote code execution by an attacker who is able to manipulate log messages. A proof of concept was released on December 9th, 2021, and active scanning and exploitation attempts have increased through the time of the publishing of this brief.

A previously unknown zero-day vulnerability in Log4j 2.x has been reported on December 9, 2021. If your organization deploys or uses Java applications or hardware running Log4j 2.x your organization is likely affected.

To understand how Elastic is currently assessing internal risk of this vulnerability in our products please see the advisory here.

The NVD currently lacks a CVSS score for this vulnerability, but the Synopsys Cybersecurity Research Center (CyRC) has issued a corresponding Black Duck® Security Advisory (BDSA), and assigned a CVSS score of 9.1, with links to proof-of-concept exploits. A dangerous, zero day exploit has been identified in log4j, a popular Java logging library. Apache log4j/log4j2 is broadly used within the Java community to implement application logging.

Authors and Contributors: As always, security at Splunk is a family business. Credit to authors and collaborators: Ryan Kovar, Shannon Davis, Marcus LaFerrera, John Stoner, James Brodsky, Dave Herrald, Audra Streetman, Johan Bjerke, Drew Church, Mick Baccio, Lily Lee, Tamara Chacon, Ryan Becwar. If you want just to see how to find detections for the Log4j 2 RCE, skip down to the “detections” sections.

Security researchers recently disclosed the vulnerability CVE-2021-44228 in Apache’s log4j, which is a common Java-based library used for logging purposes. Popular projects, such as Struts2, Kafka, and Solr make use of log4j. The vulnerability was announced on Twitter, with a link to a github commit which shows the issue being fixed. Proof-of-concept code was also released to github which shows that the vulnerability is trivial to exploit.

Earlier today, a serious flaw was discovered in the widely used Java logging library Apache Log4j. The vulnerability, ‘Log4Shell,’ was first identified by users of a popular Minecraft forum and was apparently disclosed to the Apache Foundation by Alibaba Cloud security researchers on Nov. 24, 2021. The vulnerability has the potential to allow unauthenticated remote code execution (RCE) on nearly any machine using Log4j.

Over the last two weeks, many have had flashbacks to 2012 when Heartbleed was released and everyone scrambled to fix broadly used OpenSSL. Due to their nature, some applications and services are so prolific that when a vulnerability is identified it causes massive issues for vendors and customers alike. The latest of this kind of issue is the Log4j vulnerability that has been dominating the press.