
What is Log4j?
The widely used logging library log4j has a critical vulnerability that allows attackers to execute arbitrary code on victim systems (remote code execution).
It is therefore strongly recommended to patch affected systems and applications, or to make the exploitability of the vulnerability more difficult by configuration changes or isolation of affected systems, or to prevent it.
Affected systems, applications, manufacturers:
The library is a Java library. It should therefore be checked for all systems whether they have a Java installation as a prerequisite or have Java installed. For Java systems, it must be checked whether they have the affected log4j library in use.
A list of affected providers can be viewed at the link https://github.com/NCSC-NL/log4shell/blob/main/software/README.md
The list of vendors involved with log4j
Apache (various products)
Cisco
Graylog
Microsoft
Oracle
SAP
Solarwinds
TrendMicro
ATTENTION! This list is not complete and is only an excerpt from the above source. There will probably be many more vendors affected who have not yet commented on this.
How to detect affected products and versions?
A program exists to scan for affected applications locally on affected systems: https://github.com/hillu/local-log4j-vuln-scanner
Another scanner can do this remotely: https://github.com/fullhunt/log4j-scan
Our countermeasures for the log4j vulnerability
Update
log4j should be updated to the current version 2.15.0 as soon as possible. Because it is often not possible for users to update the library independently within applications in which it is used, it must be checked whether the providers and manufacturers of affected products provide a security update that must be applied.
Workaround
Where an update is not possible in the short term, two workarounds are currently recommended.
1. from log4j version 2.10:
Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
2. from log4j version 2.0-beta 0 and higher:
Delete the class JndiLookup from the classpath. (Recommendation of the manufacturer) This is possible with the following command:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
3. exchange the affected jar file:
Here it must first be checked whether an exchange of the file is possible, for this the manufacturer documentation of the affected products should be consulted.