How to Find and Mitigate Log4j (CVE-2021–44228) in applications

Log4j is a Java library used to do logging. It was recently found to have a vulnerability (CVE-2021–44228) that allows an attacker to take over your web server (or any device it runs on) and run commands from the device. Unfortunately, it is present in many, many applications and services all over the internet.

Update:

The Log4j team has been made aware of a security vulnerability, CVE-2021–45046 ( fix to address CVE-2021–44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.), that has been addressed in Log4j 2.12.2 for Java 7 and 2.16.0 for Java 8 and up.

CVE-2021–45046

Summary: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.

Mitigation
In version 2.12.2 Log4j disables access to JNDI by default. Usage of JNDI in configuration now need to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed.

In version 2.16.0 Log4j disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly…