In December 2021 a vulnerability termed Log4Shell was public disclosed. Initially there was only CVE-2021-44228 associated with it, but it later transpired that the fix for this CVE did not fix all issues and thus CVE-45046 is also associated with it. Recently CVE-2021-45105 was identified and has now been fixed in version 2.17.0.
Affected Versions
This only affects log4j-core, if you are using log4j-api without log4j-core, you are not vulnerable. However if you are using both you will need to ensure both versions are the same otherwise you will get errors.
- log4j-core <= 2.14.1: CVE-2021-44228 (High Risk)
- CVSS 10: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Remote Code Execution (RCE)
- log4j-core = 2.15.0: CVE-2021-45046
(Low Risk)
* CVSS 3.7: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)- 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
- Remove Code Excution (RCE) but only with customised logging configuration
- log4j-core <= 2.16.0 (excluding 2.12.13): CVE-2021-45105 (Low Risk)
- 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- Denial of Service (DOS) but only with customised logging configuration
- log4j = 1.x: CVE-2021-44228 (only if JMSAppender configured)
Remediation
- log4j-core <= 2.14.1: Update to version 2.17.0
- log4j-core = 2.15.0:
Update to version 2.16.0 if and when you can, this only represents a minor severity in terms of a denial of service risk in specific situationsUpdate to version 2.17.0 - log6j-core = 2.16.0: Update to version 2.17.0
- Where updating is not possible, remove the class JndiLookup from the library:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Previous advice was given to set the property formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS, this is not longer deemed appropriate. The same goes for the configuration %m{nolookups}, %msg{nolookups} or %message{nolookups}.
You can get the full details from the official Apache security advisory.
