Log4Shell: Critical Log4j RCE Vulnerabilty – Update to Version 2.15.0
December 13, 2021Author(s)
On Dec.10, 2021, a new, critical Log4j vulnerability was disclosed: Log4Shell.
This vulnerability within the popular Java logging framework was published as CVE-2021-44228 and categorized as Critical with a CVSS score of 10, which is the highest score possible. The vulnerability was discovered by Chen Zhaojun from Alibaba’s Cloud Security team.
All current versions of log4j2 up to and including 2.14.1 are vulnerable. You can remediate this vulnerability by updating to version 2.15.0 or later.
Many application frameworks in the Java ecosystem use this logging framework by default. For instance, Apache Struts 2, Apache Solr, and Apache Druid are all affected. Aside from those, Apache log4j is also used in many Spring and Spring Boot applications, so we suggest you check your applications and update them to the latest version.
Brian Vermeer, Foojay Java Security Community Manager
(Read the complete article on Snyk.io.)
-
The Costs of Hidden Logging
The story of a partially implemented logging facility in the JDK 8 backport of JFR (for which I was also partially responsible)!
Read More
-
Java Logging: What To Log & What Not To Log?
Logs are a handy tool to spot mistakes and debug code. For engineers and, specifically, in a DevOps environment, the logs are a very valuable tool.
In this article, I am going to guide you through a pragmatic approach to Java logging—what should we log, what shouldn’t we log, and how to implement Java logging properly.
Read More
-
Java: Where the Wild Code Isn’t
In the last several years, the OpenJDK community has made Java significantly safer for users and developers while at the same time making it easier to design, build, and run applications quickly.
Java users should incorporate several practices to take full benefit from the defenses of the modern JRE.
Read More