Apache Log4j lookup substitution (CVE-2021-44228)
Vulnerability details
A vulnerability in Log4j dependency may allow a remote attacker with a specially forged server to perform a Denial of Service or Information Leakage of server memory.
Impacted products
| Products | Severity | Detail |
|---|
|
Stormshield Visibility Center
|
low |
A vulnerability in Log4j dependency may allow a remote attacker with a specially forged server to perform a Denial of Service or Information Leakage of server memory. |
Revisions
| Version |
Date |
Description |
|---|
| v1 |
|
Initial release |
Stormshield Visibility Center |
CVSS v3.1 Overall Score: 3 
|
Analysis
|
Impacted version
|
|
A vulnerability in Log4j dependency may allow a remote attacker with a specially forged server to perform a Denial of Service or Information Leakage of server memory.
|
|
Workaround solution
|
Solution
|
|
Affected users can use the following command via SSH with root priviledges :
zip -q -d /data/logstash/logstash-core/lib/jars/log4j-core-*.jar org/apache/logging/log4j/core/lookup/ JndiLookup.class
This will disable all lookups in Log4j logs and effectively avoid the vulnerability.
|
Official fix under progress
|
| Attack Vector |
Attack Complexity |
Privileges Required |
User Interaction |
Scope |
Confidentiality Impact |
Integrity Impact |
Availability impact |
|---|
| Network |
High |
High |
Required |
Unchanged |
Low |
None |
Low |
| Exploit Code Maturity |
Remediation Level |
Report Confidence |
|---|
| Proof of concept code |
Workaround |
Confirmed |
| Confidentiality Requirement |
Integrity Requirement |
Availability Requirement |
|---|
| High |
Low |
Low |
Acknowledgements
Apache Log4j security advisory:
https://logging.apache.org/log4j/2.x/security.html
