A remote-code execution vulnerability has been found in the prolific Java logging library
Log4j. This can allow an attacker to execute arbitrary code on software using this library,
which can then likely lead to the full attacker compromise of the underlying server. This
library is used in a significant number of applications, and can affect internally developed
and 3rd party applications. We are strongly advising everyone to review all internally
developed and 3rd party applications for their potential exposure to this Log4j vulnerability.
We will continue to update this page with updates as new information becomes available.
Security Advisory Details
CVE 2021-44228 is a critical remote code execution vulnerability that exploits the Apache Log4j2 library which can be found in a significant number of applications and platforms. In versions prior to 2.14.1 features used in configuration, log messages, and parameters do not protect against an attacker exploiting the Log4j mechanism to execute remote code on the vulnerable system. An attacker who can generate a log messages can execute arbitrary code which can in the worst case provide full system access when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases greater that 2.10 this behavior can be mitigated by disabling lookups in log event messages.
Keep yourself protected
Update to version 2.15 (or higher if available) immediately. Apply the update to resolve the vulnerability as soon as it is released by the affected Vendors.
In versions greater than 2.10 set the JVM Option - log4j2.formatMsgNoLookups=true
Utilise security monitoring to detect incoming JNDI attacks using crafted messages or HTTP requests and responses.
A significant number of products from multiple vendors are affected, and investigations are still on-going as to which products and services are affected. We have provided a summary of some of the more notably affected software applications below.
Mitigation / Remediation
All log4j-core versions between 2.0-beta9 and 2.14.1
Update to verions 2.15.0
In releases >=2.10, setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
For releases >=2.7 and <=2.14.1, see link for more information.
Jira Server & Data Center
Confluence Server & Data Center
Only vulnerable when using non-default config, cloud version still under investigation
Disabling any configured appenders utilising org.apache.log4j.JMSAppender by commenting out the relevant lines in your Log4j configuration file and restarting the application
6 to 6.32.2
7 to 7.32.2
JMX monitoring component leverages an impacted version of log4j
Update to 7.32.2 - impacted library is still included however they have taken the recommended precautions to disable vulnerable logic
Endpoint ProxyPolicy ManagerPolicy Manager Proxy
Download the patch from the F-Secure server
Graylog development team incorporated this fix into all supported versions of the platform (v3.3.15, v4.0.14, v4.1.9, and v4.2.3).
For any version under 3.3.15, upgrade or
apply a change to the Graylog startup configuration.
Continuous Delivery for Puppet Enterprise
Update available for version 4.x
Mitigations for 3.x which is EOL
Symantec Endpoint Protection Manager
UniFI Network Application
Upgrade to UniFi Network Application 6.5.54
Carbon Black Cloud Workload Appliance
Workaround: edit registry with -Dlog4j2.formatMsgNoLookups=true
Site Recovery Manager
Workaround available, see link.
vCenter Server (Windows & Virtual Appliance)
Patches Pending Workarounds available, see links.
A more comprehensive list of affected vendors and software applications is being maintained at: https://github.com/NCSC-NL/log4shell/tree/main/software
See our original advisory notification below.