Brief Overview: Log4j Vulnerability (CVE-2021-44228)
Log4j vulnerability (also called Log4shell) is a critical issue that has been discovered in popular logging package 4j on 9th December 2021. The good news is patch has been issued to mitigate this vulnerability.
What is Log4j?
Log4j is an open-source logging library commonly used by internet apps and services. For security reasons, all software has the ability to log for different purposes such as operational, security, etc., and Log4j serves the purpose. A vulnerability has been found in Log4j that allows remote code execution if left unpatched.
How to fix the Log4j vulnerability?
I am listed below mitigation techniques to fix the Log4j security vulnerability:
- Update Java 8 to release 2.16.0.
- If Java 7 is in use, it needs to be upgraded to release 2.12.2
- If you do not want to update Java, then remove the JndiLookup class from the following classpath.
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Note: Only the log4j-core JAR file is affected by this vulnerability. Remember if log4j-api JAR file is used by applications and services without the log4j-core, those applications are not impacted by this critical vulnerability.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.
