Apache Log4j2 (Log4Shell) RCE Vulnerability – CVE-2021-44228
- Accops
- December 12, 2021
- 6:57 pm
On Dec 9th, a zero-day exploit in an open-source library named “Log4j” was made public. This library is very popular for creating logs by Java applications.
The vulnerability is labelled as Log4Shell (CVE-2021-44228: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) and results in remote code execution (RCE) and is assigned highest CVE severity level of 10. The vulnerability impacts Apache Log4j2 versions 2.0 to 2.14.1.
The vulnerability can be exploited very easily if a user can connect to a Java based application and user can send a specially crafted string to the application over any protocol including TCP, HTTP or HTTPS.
It is particularly difficult to detect the presence of the library because it can be used in a source code form in any Java-based application and so simple software BOM generation tools may not be effective.
This announcement summarizes any potential impacts to Accops products and related announcements for mitigations of the issue.
Accops engineering and security team continue to actively work on identifying Accops’ and open-source modules included as part of Accops products which uses the log4j library for logging.
Accops has concluded that following products (all versions) do not use log4j library and are NOT vulnerable:
1. HySecure
2. HyWorks
3. HyDesk
4. HyID
5. BioAuth
6. Nano
7. HyLabs
Following modules uses Java and analysis shows that the module is not vulnerable to RCE.
1. Accops Reporting Server based on ELK stack
Accops Reporting server is an internal service and is based on ELK stack and is built using Java.
Elasticsearch contains the vulnerable class which can lead to information leakage. (Apache Log4j2 Remote Code Execution (RCE) Vulnerability – CVE-2021-44228 – ESA-2021-31 – Announcements / Security Announcements – Discuss the Elastic Stack).
After a detailed analysis, our engineering team has released a patch to fix the issue.Kindly download patch by clicking below link :
https://downloads.accops.com/public/Log4j+Mitigation/ARS_Log4j_Mitigation.zip
Share With:
You may also like
Accops Finishes 2022 On A High Note, Wins Four Prestigious Awards
The year 2022 marked a significant landmark for Accops as we completed a decade of our existence. When we look back on where we started
Defense in Depth Security: Stopping the Advanced Cyber Attacks in its Track
Over the past few decades, the digital world has revolutionized itself manifold. Organizations no longer assume that trusted objects only exist inside, and untrusted ones
How can Cooperative Banks comply with the latest RBI guidelines?
In the wake of the recent surge in incidents of Internet banking frauds, RBI has issued a series of guidelines for banks. These guidelines are
