Security teams have been scrambling to address a dangerous new zero-day vulnerability in Apache logging system.The CVE-2021-44228 vulnerability allows unauthenticated remote code execution on any Java application running a vulnerable version of Apache’s Log4j 2
The exploit is dangerous for two reasons:
1) Log4j is used by applications and platforms found all over the internet, including Minecraft, and Apple iCloud.
2) It’s relatively easy to exploit.
How to Fix it?
1- Upgrade to log4j-2.1.50.rc2 immediately. If upgrade is not applicable or could impact other services at the moment, use the workaround below.
Set the JVM parameter “log4j2.formatMsgNoLookups;” to True
Put a Web Application Firewall or Proxy in front of the vulnerable Java app and block access to connections using the User Agent header string “jndi:ldap” and “jndi:dns”