Apache Software Foundation has released an upgrade to the Apache Java Logging Library Log4j as a fix to two discovered critical vulnerabilities namely, CVE-2021-44228 and CVE-2021-45046. The vulnerabilities, when exploited, allows remote code execution and denial of service attack on servers.

Versions affected: Apache log4j 2.0.beta9 to 2.15.0

Security Risks

An unauthenticated remote attacker could exploit these vulnerabilities by sending a malicious crafted request to a server running a vulnerable version of log4j, running various services such as Lightweight Directory Access Protocol (LDAP) or Domain Name Service (DNS). It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends system administrators to:

1. upgrade to Apache Log4j 2.16.0 or later immediately,

2. if the upgrade cannot be performed immediately, apply recommended mitigations immediately.

For further information and support, please contact the National Cyber Security Authority (NCSA) by emailto rwcsirt@ncsa.gov.rw or call us on 9009

References

CVE-2021-44228

CVE-2021-44228 - NVD

CVE-2021-45046

Apache Log4j Security Vulnerabilities