Important Information about Critical Zero-Day Apache Log4j2 Vulnerability

Posted by Geraldine Hunt on Wed, Dec 15th, 2021

On December 9, 2021, Apache disclosed CVE-2021-44228 , a remote code execution vulnerability affecting the Apache Log4j2, a Java-based logging framework widely used in commercial and open-source software products.

Vulnerability Details

Apache Log4j2 library is one of the most widely used Java-based logging utilities globally. Due to its widespread use in popular software and hardware platforms, a large number of third-party apps may be vulnerable to exploitation.

• CVE-2021-44228: A vulnerability in versions of Log4j2 prior to 2.15 allowing a malicious actor to access arbitrary resources through an encapsulated Java Naming and Directory Interface (JNDI) request.

• CVE-2021-45046: Similar to CVE-2021-44228 but only affecting Log4j2 version 2.15.0 which allows a malicious actor to launch a denial of service (DOS) attack on the hosting server. 

Given how ubiquitous this library is, the impact of this zero-day exploit is quite severe. In terms of TitanHQ solutions, we do not use the affected component in any of our products. Nevertheless, as this is a dynamic situation we will continue to monitor for new developments and provide status updates and guidance to our customers as needed.

For advice on your email or web security needs don't hesitate to contact one of our product experts today.