LOG4SHell / Log4j2 -
Zero-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string.
Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers and Spring-Boot web applications.
The vulnerability has been reported with CVE-2021-44228 against the log4j-core jar. CVE-2021-44228 is considered a critical flaw, and it has a base CVSS score of 10, the highest possible severity rating.
Who is Impacted:
Too many services are vulnerable to this exploit as log4j is a wild rang used Java-based logging utility. Cloud services like Steam, Apple iCloud, and applications like Minecraft have already been found to be vulnerable.
Anybody using Apache frameworks services or any SpringBoot Java-based framework applications uses log4j2 is likely to be vulnerable.
Affected Apache log4j2 Versions
Ask admin/system team to run a search/grep command on all servers to spot any file with name "log4j2", Then check if it is a vulnerable version or not"
PERMANENT MITIGATION:
Version 2.15.0 of log4j has been released without the vulnerability. log4j-core.jar is available on Apache Log4j page below, You can download it and updated on you system "
Ref Link: https://logging.apache.org/log4j/2.x/download.html
TEMPORARY MITIGATION:
Add "log4j.format.msg.nolookups=true" to the global configuration of your server/web applications"
