Log4Shell (CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105)

⚠️
Details of this blog have been updated as of 14:00 on 18 December 2021 and are currently correct and up to date at the time of this update.

In December 2021 a vulnerability termed Log4Shell was public disclosed. Initially there was only CVE-2021-44228 associated with it, but it later transpired that the fix for this CVE did not fix all issues and thus CVE-45046 is also associated with it. Recently CVE-2021-45105 was identified and has now been fixed in version 2.17.0.

Affected Versions

This only affects log4j-core, if you are using log4j-api without log4j-core, you are not vulnerable. However if you are using both you will need to ensure both versions are the same otherwise you will get errors.

  • log4j-core <= 2.14.1: CVE-2021-44228 (High Risk)
    • CVSS 10: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Remote Code Execution (RCE)
  • log4j-core = 2.15.0: CVE-2021-45046 (Low Risk)
    * CVSS 3.7: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
    • 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
    • Remove Code Excution (RCE) but only with customised logging configuration
  • log4j-core <= 2.16.0 (excluding 2.12.13): CVE-2021-45105 (Low Risk)
    • 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
    • Denial of Service (DOS) but only with customised logging configuration
  • log4j = 1.x: CVE-2021-44228 (only if JMSAppender configured)

Remediation

  • log4j-core <= 2.14.1: Update to version 2.17.0
  • log4j-core = 2.15.0: Update to version 2.16.0 if and when you can, this only represents a minor severity in terms of a denial of service risk in specific situations Update to version 2.17.0
  • log6j-core = 2.16.0: Update to version 2.17.0
  • Where updating is not possible, remove the class JndiLookup from the library: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Previous advice was given to set the property formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS, this is not longer deemed appropriate. The same goes for the configuration %m{nolookups}, %msg{nolookups} or %message{nolookups}.

You can get the full details from the official Apache security advisory.