Vulnerability Log4j

On 10th of December 2021, a zero-day vulnerability was identified in Log4j version 2. stepping stone Ltd is in direct contact with customers who are affected by the Log4j vulnerability.

Log4j is a logging framework. With log4j, application messages can be logged in Java. It is used on many open source as well as commercial software products. The project was originally founded in 1996 by Ceki Gülcü while working at the IBM Development Lab in Zurich. Today, it is part of the logging project of the Apache Software Foundation and is licensed under Apache licence 2.0. Log4j can be used to forward messages to selected logging systems via so-called loggers. In addition, a filtering and type of output can be configured based on the importance ("log level").

 

Vulnerability findings in December 2021

On the 10th of December 2021, a zero-day vulnerability was identified in log4j version 2 (CVE-2021-44228, often referred to as Log4Shell). This vulnerability could be exploited by attackers to execute arbitrary codes.

«Apache Log4j Security Vulnerabilities» lists all affected versions and measures taken by the Apache project regarding this vulnerability. Measures taken so far to close the gap:

 

Critical vulnerability CVE-2021-4428


Vulnerability CVE-2021-45046

GovCERT.ch has published a dedicated page on this topic, which describes the security vulnerability in detail and also illustrates the problem and the solution to the problem using a graph.

 

 

Graph origin: https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/assets/log4j_attack.png