Log4j/Log4Shell Vulnerability

What you need to know and do


The ongoing Apache Log4j zero-day vulnerability, now known as Log4Shell, remains a critical concern. Adversaries have already targeted more than 40% of corporate networks globally to exploit the flaw, and new vulnerabilities continue to emerge. Here's what you need to know - and how you ought to act to defend your infrastructure.

What to do right now

Focus on remediating Log4j first.

Initially reported on November 24, 2021 as an instant CVSS 10 out of 10 in severity, the Apache Log4Shell vulnerability has put hundreds of millions of endpoints at risk. And with new variants appearing almost daily, the saga keeps going and going.

However, not every new variant is equal, nor likely to be exploited. At its core, Log4Shell is a vulnerability and should be treated as such. Remediating Log4j CVE-2021-44228, the default configuration, should be your priority.

1

Adopt an Assumed Breach mentality right away

Review your logs for unusual activity and refer to Github shared resources to discover exploitation attempts.

See what to look for

2

Use the Automox Worklet for Log4j as a stopgap fix

Automox customers can use a Worklet as a temporary fix for CVE-2021-44228 until the impacted systems can be patched and fully remediated.

Get the Worklet

3

Upgrade Log4j 2.17.1 immediately

Upgrade to the latest release immediately. Attackers are already searching for exploitable targets at scale.

Download Log4j update

Beware of the hype

Not every new Log4Shell vulnerability is critical. Keep calm and patch on.

While new variants of the original Log4Shell vulnerability have emerged with each new update, keep in mind that these vulnerabilities are not all equal. For instance, CVE-2021-44832, a vulnerability in Apache Log4j versions through 2.17.0, allows an attacker to execute code arbitrarily.

Alarming? Yes. Severe? No. Apache scores this vulnerability as a moderate CVSS 6.6/10. To exploit this CVE, an attacker needs to modify logging configuration files, a privilege that would likely indicate the infrastructure is already compromised.

Parse the Log4j release website directly to determine how severely your infrastructure will be impacted by subsequent Log4Shell vulnerabilities.

Log4Shell timeline

The Apache Log4j saga persists with new attack vectors.

Several new variants of Log4Shell have appeared since the original vulnerability (CVE-2021-44228) was fixed with the Log4j v2.15.0 update. Here's the ongoing timeline of events:

November 24

Security researcher Chen Zhaojun discovers the now infamous CVE-2021-44228 or “Log4Shell” vulnerability that allows unauthenticated attackers to execute remote code on vulnerable systems, scoring a CVSS of 10 out of a possible 10. Log4j versions 2.0-beta9 up to 2.14.1 are affected.

December 6

Apache Log4j releases version 2.15.0 to remediate the vulnerability. Shortly after, CVE-2021-45046 is discovered (a flaw that eventually netted a CVSS of 9.0/10) after further research leads to the discovery that this vulnerability allowed for remote code execution by an attacker. Log4j versions 2.0-beta9 to 2.15.0 are affected, excluding 2.12.2.

December 13

Version 2.16.0 of Apache Log4j is released to remediate. Yet another vulnerability is discovered - CVE-2021-45105, a CVSS 5.9/10 denial of service vulnerability due to infinite recursion in lookup evaluation. Log4j versions 2.0-beta9 to 2.16.0 are affected, excluding 2.12.3.

December 18

The Log4j team releases version 2.17.0 to fix the denial of service vulnerability.

December 28

Yet another patch, version 2.17.1, is released, this time to remediate CVE-2021-44832, a CVSS 6.6/10 that allows code execution by attackers with permissions to modify the logging configuration file.

The latest Automox insights

BLOG

Log4j Critical Vulnerability Scores a 10/10 For How Bad It Is (So Act Fast)

Insights into how to use Automox to temporarily address the risk of vulnerabilities while preparing to install the latest Apache Log4Shell updates

LEARN MORE

BLOG

Log4j Exploits in the Wild

The latest information on how Log4j continues to spread, how the government is reacting, and what you need to do.

LEARN MORE