CVE-2021-44228

Name of the Vulnerable Software and Affected Versions Apache Log4j2 versions 2.0-beta9 through 2.15.0 Apache Log4j2 version 2.16.0 and later are not affected, as the vulnerable functionality has been completely removed.

Description The vulnerability in Apache Log4j2 is related to the JNDI features used in configuration, log messages, and parameters, which do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. This issue affects log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. The vulnerability has been exploited in the wild, with reports of attacks on various systems, including those using VMware Horizon. The estimated number of potentially affected devices worldwide is not specified, but it is known that the vulnerability affects a large number of applications and services on the Internet.

Recommendations For Apache Log4j2 versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, update to version 2.16.0 or later, where the vulnerable functionality has been completely removed. For versions prior to 2.15.0, set the system property "log4j2.formatMsgNoLookups" to "true" or remove the JndiLookup class from the classpath to mitigate the issue. Consider disabling the JNDI features or restricting access to the vulnerable module to minimize the risk of exploitation. As a temporary workaround, consider setting the "log4j2.formatMsgNoLookups" property to "true" to prevent message lookup substitution.