log4j - vulnerability - Strikes !
Log4j zero-day vulnerabilitydiscovered, affects iCloud, Minecraft, Steam, and more services.
A newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and enables attackers to gain full control
What is log4j ? log4j is a reliable, fast and flexible logging framework (APIs) written in Java, which is distributed under the Apache Software License. log4j is a popular logging package written in Java. log4j has been ported to the C, C++, C#, Perl, Python, Ruby, and Eiffel languages.
How to find if your application has a threat for this ? To check whether your application is likely affected you must verify: Log4j version – all 2.x versions before 2.15.0 (released today, Friday, December 10, 2021) are affected
If both are true, your Log4j version is older than 2.15.0 and your Java version patch level is older than listed above, you’re almost certainly affected
What is the solution ?
Using Java 1.8 or higher? Download the latest Log4j mitigated version 2.15.0 from its download page.
If you can’t upgrade immediately and are using Java 8u121 or later. If the Java version is >= 8u121 it is possible to mitigate the issue
com.sun.jndi.rmi.object.trustURLCodebase to false and com.sun.jndi.cosnaming.object.trustURLCodebase to false. It’s still preferable to update log4j version to secure one as soon as possible.
领英推荐
Using Java version less than 1.8 Source: https://logging.apache.org/log4j/2.x/security.html
In earlier versions of log4j >= 2.10 it is possible to mitigate this issue by Setting the system property
formatMsgNoLookups: true Or
Set the JVM parameter
-Dlog4j2.formatMsgNoLookups=true Or
Removing JndiLookup class from the classpath
example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.clas
Hope this might help to reduce the vulnerability
Source Credits: Veracode , India Today
.
3 年Thats great