17 January 2022

Security Note - LOG4J Vulnerability

AdobeStock_475269583

Background:

Apache is a widely used open source web server that is maintained by the Apache Foundation. Log4J is a widely used open source application logging product that is maintained by the Apache Software Foundation

A critical security issue has been recently identified, Microsoft have provided a comprehensive security blogpost on the issue, and is regularly updating it as new information is made available here.

In summary, Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Specific Technical Detail: https://logging.apache.org/log4j/2.x/security.html

Apache released a patch at the end of December 2021.

Patch Details: https://logging.apache.org/log4j/2.x/

Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later)

Impact & Available Vendors Communications

Louder have listed the primary advertising & marketing technology vendors responses below (A-Z):

About Arthur Hascoet

Arthur Hascoet specialises in performance media strategies and automation opportunities. In his spare time he enjoys the great outdoors and discovering the unsealed tracks of the backcountry.