Log4j is an opensource logging library developed by Apache Foundation and is used in many different products. As it is opensource, this can include custom built, in house applications.
An unauthenticated remote code execution vulnerability (CVE-2021-44228) affects Apache Log4j versions 2.0-beta9 to 2.15.0.
Previous advice recommended upgrading to 2.15.0, but it has now been discovered that the fix in this version is incomplete, and as such, upgrading to 2.17.0 is the new recommendation. More information is available on this here:
We are aware that scanning and attempts to exploit this are taking place in the wild, globally and in the UK.
Some of the affected versions are no longer supported, and as such, any affected devices should be upgraded immediately to remove the risk of this vulnerability being exploited. The latest version of log4j is 2.16.0. Upgrading should be the first priority for your organisation.
There may be unknown instances of Log4j on your network, and these should be found and patched as soon as possible. The NCSC has written some instructions on how to search for them;
A file system search for log4j can be undertaken. This should include searching inside EAR, JAR and WAR files. For example:
find / -type f -print0 |xargs -n1 -0 zipgrep -i log4j2 2>/dev/null
If a dependency or package manager is used, this can be searched. For example:
dpkg -l | grep log4j
There could be multiple copies of Log4j present, each copy will need to be updated or mitigated.
We recommend using protective network monitoring/blocking to assist in mitigating against this threat. Police Cyber Alarm has been updated to offer specific reporting on this vulnerability. If you’re not already registered, you can do so here;
You can find more information about this vulnerability on the NCSC’s website here-