Extremely critical vulnerability "Log4Shell"

© WWU IT

In the past few days information about a new vulnerability called "Log4Shell" (CVE-2021-44228) in the "log4j" component of many Java-based applications has been released. The vulnerability is extremely critical (CVSS score of 10.0) as a remote attacker can compromise a vulnerable system with very little effort.

Every administrator has to check, if the vulnerable component is used by their service or system. In case a vulnerable version of log4j is used, it has to be updated immediately or a workaround has to be used. To check whether log4j is being used one can search for the related JAR-files ("log4j*.jar"). Especially if the service or system is publically available, the sytem should be checked for signs of compromise!

All versions of log4j between 1.0 and 2.14.1 are vulnerable.
In versions 1.x, the vulnerability is only exploitable via a malicious program configuration, which is why the probability of exploitation is considered lower.

Further information:
https://nakedsecurity.sophos.com/2021/12/10/log4shell-java-vulnerability-how-to-safeguard-your-servers/

Lists of vulnerable software:
https://github.com/NCSC-NL/log4shell/tree/main/software
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

Resources for identification of compromise:
https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b