DerScanner
Home / Vulnerability Database / Java : Log4j Vulnerability
Java

Java : Log4j Vulnerability

Classification

OWASP Top 10 2017
A8-Insecure Deserialization
OWASP Top 10 2021
A8-Software and Data Integrity Failures
OWASP ASVS
Error Handling and LoggingError Handling and LoggingValidation, Sanitization and Encoding
PCI DSS 4.0
10.3
CWE
CWE-20CWE-117CWE-400CWE-502CWE-915CWE-917
CWE/SANS Top 25 2021
CWE-20CWE-502

Overview

Log4Shell is a zero-day vulnerability in Log4j, a popular Java logging framework, involving the execution of random code.

One of the main reasons this bug exists is that some versions of Log4j are capable of executing any text via the LDAP protocol.

The application writes data from an unverified source to the event log. An attacker can spoof log data or inject malicious content into the log. When the application processes the logs, that line could cause the vulnerable system to download and run malicious code. As a result, an attacker can potentially get full remote control over the system.

We recommend upgrading to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).

References

  1. CVE-2021-44228
  2. Guide: How To Detect and Mitigate the Log4Shell Vulnerability
  3. Apache Log4j Security Vulnerabilities
CRITICAL

DerScanner Severity Score

Do you want to fix Java : Log4j Vulnerability in your application?

See also

Java

Java : Race condition

Java

Java : Text4Shell Vulnerability

Java

Java : JNI usage