Mina M
- Dec 14, 2021
- 1 min read

Apache Log4j Vulnerability

Security teams have been scrambling to address a dangerous new zero-day vulnerability in Apache logging system.The CVE-2021-44228 vulnerability allows unauthenticated remote code execution on any Java application running a vulnerable version of Apache’s Log4j 2

The exploit is dangerous for two reasons:

1) Log4j is used by applications and platforms found all over the internet, including Minecraft, and Apple iCloud.

2) It’s relatively easy to exploit.

How to Fix it?

1- Upgrade to log4j-2.1.50.rc2 immediately. If upgrade is not applicable or could impact other services at the moment, use the workaround below.

2- Workaround:

Set the JVM parameter “log4j2.formatMsgNoLookups;” to True
Put a Web Application Firewall or Proxy in front of the vulnerable Java app and block access to connections using the User Agent header string “jndi:ldap” and “jndi:dns”