LOG4J CVE-2021-44228 Vulnerability

  1. Portal Home
  2. Knowledgebase
  3. LOG4J CVE-2021-44228 Vulnerability

eApps Hosting has become aware of a vulnerability affecting Java Servers using log4j (CVE-2021-44228).  We have taken action at our core Firewall Level to block any requests that match this vulnerability; however, we strongly recommend that you update log4j within your application or set up a wrapper variable.

 

Note that this vulnerability only impact Java Servers (Tomcat, Jboss, Wildfly or Glassfish) deployments that are using log4j library for logging purposes. Our standard installation does not bring log4j but you may need to check with your developers regarding the application.

 

More information can be found here:

 

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://access.redhat.com/security/cve/cve-2021-44228

 

How to check if I’m using Log4J?

 

  1. Retrieve your root credentials from your customer’s portal at portal.eapps.com --> My Cloud --> Virtual Servers --> Click on the magnifier glass for the server you want to check --> You will find the credentials under Virtual Machine Details
  2. Use Putty for windows or a terminal on mac to connect over SSH to your Server
  3. Run command:cd /opt/
  4. Run command: find -name *log4*
  5. If you are using the library, this will show you the location within your application.

 

How to mitigate?

 

For updating log4j you will need to work with your developers so they can update the library within your application.

 

Depending on the version you are on, you can apply a work around while you manage to get the library updated:

  1. Version Log4j 2.10 or greater add log4j2.formatMsgNoLookups=true to the wrapper file (i.e. for tomcat 8 you will find it under /etc/tomcat8/tomcat.conf).
  2. Log4j <2.10
    1. may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event message or
    2. remove the JndiLookup and JndiManager classes from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function

  

If you have any questions or need assistance, please contact us at support@eapps.com.

 

  Print

Comments

Please login to comment