- Caused by Apache Log4j's JNDI ("Java Naming and Directory Interface") features.
- How is it severe? The CVSS score is 10, the maximum, which means the highest risk.
CVE-2021-44228 (named "log4shell" or "log4jam"): Remote code execution (RCE) severe vulnerability, discovered in Log4j, affects a wide range.
To be a pity, it's straightforward and easier for attackers to exploit the CVE-2021-44228 (log4shell) vulnerability. As to services open to some network, especially Internet, the situation is really dangerous.
Updating Log4j version to 2.15.0 is strongly recommended.
- Strongly recommended to updated log4j version 2.15.0 (or later).
Well, When it's difficult to update #Log4j, they are possible:
- Use WAF.
- if ver >= 2.10.0: Disable JNDI lookup with system property (log4j2.formatMsgNoLookups) or environment variable (LOG4J_FORMAT_MSG_NO_LOOKUPS).
- else: Remove JndiLookup from classpath.
This post is based on the tweets by my company.