Apache Log4j Security Vulnerability impact on Java (CVE-2021-44228)
Apache Log4j Security Vulnerability impact on Java (CVE-2021-44228)
Last week, a serious security breach was found with a Common Vulnerability Scoring rating of 10/10.
This is something that does not happen often, so let’s have a closer look on what it is and what can be done about it.
To start, Some of our most used products that were confirmed by SAP as NOT impacted
This means there is NO risk for your implementation with this Log4J issue:
| SAP BusinessObjects Business Intelligence * SAP HANA Database SAP HANA Smart Data Integration SAP HANA Streaming Analytics SAP HANA Spatial Service SAP HANA Streaming Analytics SAP Data Warehouse Cloud SAP Predictive Analytics SAP Data Services SAP Cloud Integration for Data Services SAP Information Steward* (BO does not use the impacted library in any of the currently supported version, but it is advised to have atleast 4.2 SP5 for further security / mitigation against Remote Code Execution) |
What is Log4j?
Apache Log4j is a Java-based logging utility. While part of the Apache Software Foundation, it is one of the most used logging libraries in modern web/java applications. Other languages like Scala, Groovy, or Clojure are also impacted.
Why should I be concerned?
Very simplified: It will allow hackers to run their own remote code => This is a very serious security threat to a lot of applications still running today!
More detailed: An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
This diagram from Computer Emergency Response Team (GovCERT) of the Swiss government highlights the topic in more detail and shows where resolutions are possible.
Which versions are impacted?
Library versions Log4j 2.x (all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0) are affected.
If you are still using a Log4j 1.x you should upgrade as soon as possible, as it has been out of support for years.
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
How to resolve it?
Option 1: Upgrade
- Java 8 (or later) users should upgrade to release Log4j16.0. (2.15.0 is not sufficient It removed the main vulnerability, but left room for other issues like DOS attack)
- Users requiring Java 7 should upgrade to release Log4j12.2 when it becomes available (this version is expected to be available soon).
Option 2: Workarounds in use
Be warned that this has been found as NOT effective enough for all versions!
For version >=2.10: set log4j2.formatMsgNoLookups to true
Adding a quickfix to your webserver/application to prevent using the impacted vulnerability.
On the java tab, adding the line:
| -Dlog4j2.formatMsgNoLookups=true |
For releases from 2.0 to 2.10.0: remove the LDAP class from log4j
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
I am still not sure if I am impacted?
If you need help determining whether you are impacted, feel free to contact us!
Be on the lookup for some tools that can help detect vulnerabilities, like the following for azure:
MORE INFORMATION CAN BE FOUND ON HERE:
https://launchpad.support.sap.com/#/notes/3129956
https://govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
https://www.randori.com/blog/cve-2021-44228/
https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
https://logging.apache.org/log4j/2.x/security.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
