HCL SW Blogs
HCL SW Blogs
Select Page
HCLSoftware, Secure DevOps
  |  December 13, 2021

Guide to Log4j Vulnerabilities

Orlando Villanueva
Orlando Villanueva
Product Marketing Manager, AppScan
Guide to Log4j Vulnerabilities

News broke out on Thursday, December 9th as Log4j, the most utilized open-source logging system in the world, displayed clear evidence of a critical vulnerability affecting large companies all over the world, including Apple, Amazon, Cloudflare, Steam, Tesla, Twitter, and Baidu.

According to Microsoft Security Response Team, the Apache Log4j 0-day vulnerability allows unauthenticated remote code execution and is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. Attacks have already taken place less than a day after its reporting, and Netlab, the networking security division of Chinese tech giant Qihoo 360, disclosed that Attackers like Mirai and Muhstik (aka Tsunami) are still actively looking for vulnerable servers to exploit.

Currently, this vulnerability, also known as CVE-2021-44228 currently holds a risk matrix base score of 10, the highest risk possible according to Oracle advisory, and has been labeled by GitHub advisory as a critical severity level.

 

THE LOG4J CVE 2022 44228 ATTACK

Have I been affected?

To determine if your application has been affected by this vulnerability:

  • Determine your current Log4j version and update. All versions prior to 2.16.0 have been affected. This is recommended as it was found that, Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This vulnerability called, “CVE-2021-45046” made the previous version susceptible to attacks. As such, Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

 

  • Determine your current Java version and update. All versions lower than the ones below are vulnerable:
    • Java 6 – 6u212
    • Java 7 – 7u202
    • Java 8 – 8u192
    • Java 11 – 11.0.2

If the application has both Java & Log4j issues, then according to Certnz advisory it is certainly been affected. However, you can still check your domain vulnerability by using open-source testing tools, like GitHub – log4shell-tester.

 

Log4j Solution?

 Download Log4j version 2.16.0 (If you are unable to upgrade, follow the steps below):

  • Behavior can be mitigated by either setting system property formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
  • If using version >=2.0-beta9and <=2.10.0, remove log4j’s JndiLookup class from Java’s classpath as under: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 

 

How AppScan can help

HCL AppScan can help developers scan for log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046 with its Open-Source analysis (OSA) or Dynamic Application Security Testing (DAST) capabilities in our cloud-based application security testing solution AppScan on Cloud.

Learn how to scan for vulnerability Log4j with HCL AppScan on Cloud’s OSA capability

Close icon
Video image Video Play Button

Learn how to scan for vulnerability Log4j with HCL AppScan on Cloud’s DAST capability

Close icon
Video image Video Play Button

 

What is AppScan on Cloud (ASoC)?

ASoC offers an unparalleled suite of comprehensive security testing tools available on the cloud, including SAST, DAST, IAST, and OSA. Enabling organizations to address vulnerability earlier in the Software Development Life Cycle (SDLC), reducing false positives, fixing code as it’s written and yielding advanced correlation to deliver more accurate results empowering organizations to deliver secure & compliant software faster and at scale.

 

For a free demonstration of AppScan’s OSA tool and our suite of security testing tools, including SAST, DAST, IAST for web, and open-source applications. Click here.

For additional information on Log4j vulnerability in HCL  AppScan’s deployment platforms, please see AppScan technote.

Comment wrap
Orlando Villanueva
Orlando Villanueva
Product Marketing Manager, AppScan
An experienced marketing professional with a history of success in both software and energy management Industries.
Read more

Topics in this article:

AppScanDevOpsHCLSoftwaresecure devops

Submit a Comment

Your email address will not be published. Required fields are marked *

* HCL provides software and services to the U.S. Federal Government through its partner Four, Inc. Please contact Four, Inc. at the U.S. Federal Government contact page.


Further Reading
appscan
appscan
HCL AppScan Standard Reinvents the Configuration UI in Version 10.2.0
Secure DevOps | April 6, 2023
HCL AppScan Standard Reinvents the Configuration UI in Version 10.2.0
Chek out what's new with AppScan Standard, a DAST (Dynamic Application Security Testing) tool designed for security experts and pen-testers that automatically crawls target applications and APIs and tests them for vulnerabilities.
Adam Cave
Adam Cave
Product Marketing Manager, HCL AppScan
appscan
appscan
OWASP Global AppSec Dublin 2023
Secure DevOps | March 13, 2023
What you missed at OWASP Global AppSec Dublin 2023
See what you missed at OWASP Global AppSec Dublin 2023. HCLSoftware has the scoop.
Courtney Coleman
Courtney Coleman
appscan
appscan
Lunch n Learn
Secure DevOps | March 7, 2023
What You’ll Learn at AppScan’s March Lunch “N” Learn
Join us on March 14th, 2023 to talk with our experts as they give an overview of some our newest features.  
Courtney Coleman
Courtney Coleman
Close
Filters result by
Sort:
|
ProductsRESET