What is the Log4j RCE Vulnerability?
I've been hearing a lot about a new vulnerability in Apache. What is it and how can I mitigate this?
It has come to light that specific versions of the popular Apache Log4j utility are vulnerable to remote code execution (RCE). If you are using Log4j, you should update to version 2.15.0 as soon as possible. The latest version can be found at the Apache Log4j download page:
If you are unable to upgrade to version 2.15, then as per the National Vulnerability Database, you will want to make an adjustment to your system configuration as follows:
In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true”
For more information please review Apache's security release:
I hope this information helps!
As the question refers to this as a "new vulnerability in Apache", I think it might be helpful to also make it abundantly clear that this vulnerability has no relation to Apache httpd at all.
This is purely about the very popular logging component for Java software named log4j (also by the Apache Software Foundation).
The implication being that a lot of Java-based software inherits this vulnerability because of how common it is to use log4j.
Whether you use log4j yourself or not, investigate any Java-based software that you have installed.