Apache Log4j Security Vulnerabilities
Issue: Active Exploitation of Apache Log4j2 Arbitrary Code Execution (CVE-2021-44228)
CVSS Score: 10.0 / Critical
Date Published: 12/9/2021
Systems Affected: Apache Log4j2 < 2.15.0
A vulnerability in the Apache Log4j2 could allow an unauthenticated attacker to execute arbitrary code on an affected system through simple HTTP connections. If exploited, an attacker could take over an affected system. Due to the severity of the vulnerability, the widespread usage of Apache Log4j2 in applications, and the recent scanning and exploitation of the vulnerability, it is recommended that affected systems are updated or apply mitigations immediately.
NOTE: The information on this page may change at any time. Please check the vendor's websites for the most current updates.
Resources:
- Apache Log4j2 Advisory: https://logging.apache.org/log4j/2.x/security.html
- ARS Technica Article: https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
- LunaSec Blog: https://www.lunasec.io/docs/blog/log4j-zero-day/#temporary-mitigation
For any questions regarding this please email us at sladmin@hawaii.edu.