Skip to main content
Sign in Menu

Apache JAVA Log4j2 Vulnerability

Anthony Laney
  • Updated
Update: 
 
No Java dependencies!! Safe from Vulnerability!! Fully Protected Software....
 
You may be aware of the widespread security issue relating to the Log4j vulnerability that has affected many companies and vendors. On December 10th, we immediately began an investigation to determine if our systems had been compromised. We are happy to report that our systems are unaffected by this vulnerability.Log4j is an open-source Java-based logging tool. We do not use Java on our customer data servers and therefore your customer data could not have been exposed.
 
Our application does not use Affected Version and we are JAVA Independent Apache Log4j 2.x <= 2.15.0-rc1It will only affect if someone is running Apache tomcat for Java applications. The CVE can attack the server if log4j, which is a logging framework in Java, is being used in the code. Any attacker can send the request from the URL to attack or intrude the system but that's not the case in our sites.
 
Out of an abundance of caution, we will continue to review all recommended mitigations and monitor the situation closely.
 
 
 
Vulnerability details:
  • Vulnerability description:
  • Apache Log4j2 versions Log4j 2.0-beta9 through 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Versions Log4j 2.15. and after having disabled this behavior by default.
  • Attacks that target this vulnerability:
  • An attacker can perform a complete system takeover on systems by exploiting this flaw. However, all of the following conditions must be met in order to do so: A server with a vulnerable Log4j version (Log4j 2.0-beta9 through 2.14.1); An endpoint with any protocol (HTTP, TCP, etc.) that allows an attacker to send the exploit string; A log statement that logs out the string from that request.
  • Technical impacts of this vulnerability:
  • The unauthenticated remote code execution (RCE) vulnerability (CVE-2021-44228) affects any Apache Log4j version prior to v2.15.0, including the v1 branch of Log4j, which is considered End of Life (EOL).
  • Related vulnerability:
  •  CVE-2020-9488 (Low); CVE-2017-5645 (Moderate)
  • Links to additional information about this vulnerability:






Related articles

Comments

0 comments

Please sign in to leave a comment.