News broke out on Thursday, December 9th as Log4j, the most utilized open-source logging system in the world, displayed clear evidence of a critical vulnerability affecting large companies all over the world, including Apple, Amazon, Cloudflare, Steam, Tesla, Twitter, and Baidu.

According to Microsoft Security Response Team, the Apache Log4j 0-day vulnerability allows unauthenticated remote code execution and is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. Attacks have already taken place less than a day after its reporting, and Netlab, the networking security division of Chinese tech giant Qihoo 360, disclosed that Attackers like Mirai and Muhstik (aka Tsunami) are still actively looking for vulnerable servers to exploit.

Currently, this vulnerability, also known as CVE-2021-44228 currently holds a risk matrix base score of 10, the highest risk possible according to Oracle advisory, and has been labeled by GitHub advisory as a critical severity level.


Have I been affected?

To determine if your application has been affected by this vulnerability:

  • Determine your current Log4j version and update. All versions prior to 2.16.0 have been affected. This is recommended as it was found that, Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This vulnerability called, “CVE-2021-45046” made the previous version susceptible to attacks. As such, Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.


  • Determine your current Java version and update. All versions lower than the ones below are vulnerable:
    • Java 6 – 6u212
    • Java 7 – 7u202
    • Java 8 – 8u192
    • Java 11 – 11.0.2

If the application has both Java & Log4j issues, then according to Certnz advisory it is certainly been affected. However, you can still check your domain vulnerability by using open-source testing tools, like GitHub – log4shell-tester.


Log4j Solution?

 Download Log4j version 2.16.0 (If you are unable to upgrade, follow the steps below):

  • Behavior can be mitigated by either setting system property formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
  • If using version >=2.0-beta9and <=2.10.0, remove log4j’s JndiLookup class from Java’s classpath as under: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class



How AppScan can help

HCL AppScan can help developers scan for log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046 with its Open-Source analysis (OSA) or Dynamic Application Security Testing (DAST) capabilities in our cloud-based application security testing solution AppScan on Cloud.

Learn how to scan for vulnerability Log4j with HCL AppScan on Cloud’s OSA capability

Learn how to scan for vulnerability Log4j with HCL AppScan on Cloud’s DAST capability 


What is AppScan on Cloud (ASoC)?

ASoC offers an unparalleled suite of comprehensive security testing tools available on the cloud, including SAST, DAST, IAST, and OSA. Enabling organizations to address vulnerability earlier in the Software Development Life Cycle (SDLC), reducing false positives, fixing code as it’s written and yielding advanced correlation to deliver more accurate results empowering organizations to deliver secure & compliant software faster and at scale.


For a free demonstration of AppScan’s OSA tool and our suite of security testing tools, including SAST, DAST, IAST for web, and open-source applications. Click here.

For additional information on Log4j vulnerability in HCL  AppScan’s deployment platforms, please see AppScan technote.

Comment wrap
Further Reading
Secure DevOps | June 24, 2022
Automatic Issue Correlation Now Part of HCL AppScan
There is no silver bullet that can solve the application security challenge. Each of the core technologies (IAST, DAST, and SAST) has strengths and weaknesses.Auto Issue Correlation allows us to leverage the strengths of each technology, while overcoming weaknesses with the advantages of the others. Furthermore, Auto Issue Correlation enhances your AST capabilities, improves your prioritization process and reduces remediation time and effort.
Secure DevOps | May 20, 2022
New Vulnerability in Spring Framework Detected
A new vulnerability, dubbed SpringShell in Spring Framework, was recently discovered by the HCL AppScan team.SpringShell was given a CVE ID of CVE-2022-22965, and results in Remote Code Execution (RCE) upon successful exploitation, compromising the web server and putting it under the attacker's control. It affects Spring Framework versions 5.3.17/5.2.19 and lower (it was patched in versions 5.3.18/5.2.20).
Secure DevOps | April 28, 2022
Latest Version of AppScan Standard Now Available
AppScan standard has been a market-leading DAST solution for the last 20 years with evolving capabilities throughout the years.
Filters result by