Latest update 1/4/2022 2:00 PM PST:
Latest library is v2.17. Multiple vulnerabilities (3) have been discovered in Log4j functional code.
A serious Zero-day vulnerability in a widely used Apache Java logging library has become a full-blown internet crisis, affecting millions of digital systems across the internet. On December 11, 2021, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly released a statement, highlighting that “To be clear, this vulnerability poses a severe risk… We urge all organizations to join us in this essential effort and take action.”
Log4j is incorporated into a host of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. According to Kaspersky, almost all versions of Log4j are vulnerable, starting from 2.0-beta9 to 2.16. The simplest and most effective protection method is to upgrade the most recent version of the library:
- Log4j 2.3.2 (for Java 6)
- Log4j 2.12.4 (for Java 7)
- Log4j 2.17.1 (for Java 8 and later)
Relative to exploitation post-compromise, “Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” the company said.