Log4j is a popular Java logging package used by many backends.

Details of the vulnerability are available here, and according to reports, also libraries or solutions using Apache log4j (we are talking about Steam, iCloud or Minecraft servers) are also vulnerable. Solutions using the Struts library are also probably vulnerable.

Affected log4j versions: 2.0 <= Apache log4j <= 2.14.1

The exploit is very simple and requires that something is logged on the server-side, which the attacker will send to the application in any way (e.g. as the value of any GET or POST). The use of the vulnerability makes it possible to execute the hostile code on the server-side.

The good news: systems using JDK versions higher than 6u211, 7u201, 8u191, 11.0.1 are probably not affected.

Recommendations:

According to preliminary reports, it should help:

Start your server with log4j2.formatMsgNoLookups set to true, or update to log4j-2.15.0-rc1 or later.

The vulnerability was patched 5 days ago, but active exploitation is ongoing.

more:

https://www.lunasec.io/docs/blog/log4j-zero-day/

[UPDATE] Log4j 2.17.1 is now available with more Log4Shell vulnerability fixes

Recommendations

Developer:

Share with backend team

QA engineer:

Share with backend team

PM/DM:

Share with backend team and client

Leave a comment