Apache Software Foundation has released an upgrade to the Apache Java Logging Library Log4j as a fix to the discovered zero-day vulnerability, CVE-2021-44228. The vulnerability, when exploited, allows remote code execution on servers.

Versions affected: Apache log4j 2.0.beta9 to 2.14.1

Security Risks

An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious crafted request to a server running a vulnerable version of log4j running various services such as Lightweight Directory Access Protocol (LDAP) or Domain Name Service (DNS). It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends all users and system administrators to:

1. Upgrade to Apache Log4j 2.15.0 immediately,

2. If the upgrade cannot be performed immediately, apply recommended mitigations immediately.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009

References

CVE-2021-44228

CVE-2021-44228 - NVD

Apache Log4j Security Vulnerabilities

Oracle Security Alert Advisory – CVE-2021-44228

Proof of Concept for Critical Apache Log4j RCE Vulnerability