ProSec GmbH

+49 261 45093090

Log4j – Critical vulnerability protection

Log4j - Critical vulnerability protection

What is Log4j?

The widely used logging library log4j has a critical vulnerability that allows attackers to execute arbitrary code on victim systems (remote code execution).

It is therefore strongly recommended to patch affected systems and applications, or to make the exploitability of the vulnerability more difficult by configuration changes or isolation of affected systems, or to prevent it.

Affected systems, applications, manufacturers:

The library is a Java library. It should therefore be checked for all systems whether they have a Java installation as a prerequisite or have Java installed. For Java systems, it must be checked whether they have the affected log4j library in use.

A list of affected providers can be viewed at the link https://github.com/NCSC-NL/log4shell/blob/main/software/README.md

The list of vendors involved with log4j

Apache (various products)

Cisco

Graylog

Microsoft

Oracle

SAP

Solarwinds

TrendMicro

ATTENTION! This list is not complete and is only an excerpt from the above source. There will probably be many more vendors affected who have not yet commented on this.

How to detect affected products and versions?

A program exists to scan for affected applications locally on affected systems: https://github.com/hillu/local-log4j-vuln-scanner

Another scanner can do this remotely: https://github.com/fullhunt/log4j-scan

Our countermeasures for the log4j vulnerability

Update

log4j should be updated to the current version 2.15.0 as soon as possible. Because it is often not possible for users to update the library independently within applications in which it is used, it must be checked whether the providers and manufacturers of affected products provide a security update that must be applied.

Workaround

Where an update is not possible in the short term, two workarounds are currently recommended.

1. from log4j version 2.10:

Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

2. from log4j version 2.0-beta 0 and higher:

Delete the class JndiLookup from the classpath. (Recommendation of the manufacturer) This is possible with the following command:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

3. exchange the affected jar file:

Here it must first be checked whether an exchange of the file is possible, for this the manufacturer documentation of the affected products should be consulted.

Bild des stellvertretenden Geschäftsführers Immanuel Bär

You have questions or need support?

If you have any questions or need support in reviewing your systems, please do not hesitate to contact us. Please contact us!

To contact

Other sources

https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf

https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

https://github.com/NCSC-NL/log4shell/tree/main/mitigation

Zuletzt aktualisiert am December 17, 2021

OUR LOCATIONS

  • Headquarters:
  • ProSec GmbH
  • Robert-Koch-Straße 1-9,
    D-56751 Polch, Germany

  • Berlin office:
  • ProSec GmbH
  • Friedrichstr. 123,
    D-10117 Berlin, Germany

 

  • Munich office:
  • ProSec GmbH
  • Franz-Joseph-Str. 11,
    D-80801 München, Germany

TOP-SERVICES