log4j - Critical vulnerability of Java application - Threat level: yellow

A critical security vulnerability has been identified in the popular "Apache log4j" library.

Last update: 2022-01-22, 14:20

On Jan. 12., 2022, the Bundesamt für Sicherheit in der Informationstechnik (BSI) has downgraded the vulnerabilty to threat level yellow. Nonetheless, for undetected infections it is expected that threats are going to happen within the next weeks and months.

From https://nvd.nist.gov/vuln/detail/CVE-2021-44228 :

"Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."

The description from the BSI (german language only) can be found here: https://bsi.bund.de/dok/log4j

Maintainers of servers should check whether the server is using log4j. Affected servers are, e.g., Apache and VMWare. The main measure is to update to version v2.16.0 of log4j.

In case of a compromised service based on this vulnerability, please contact security@uni-freiburg.de .