KPMG is actively monitoring the ongoing security threat made public by The Apache Software Foundation (“ASF”) on Friday, December 10, 2021. The ASF announced to the public that the popular Log4j Logging Services software library – a Java library that provides logging capabilities for Java applications – was vulnerable to an unauthenticated remote code execution (RCE) exploit1. The vulnerability, dubbed Log4Shell, was assigned CVE-2021-44228 for tracking purposes and was rated critical2. The Common Vulnerability Scoring System (CVSS) assigned the vulnerability it’s highest criticality rating of 10.0 based in part on the widespread use of Log4j and the ease of exploitation.
The vulnerability allows an attacker to execute code on a remote server without authentication. The ASF released version 2.15.0 of the Log4j library to address the vulnerability associated with CVE-2021-44228. Version 2.16.0 was released shortly thereafter to address a second similar vulnerability in the Log4j library (CVE-2021-45046), as well as to address a number of bypass methods that were discovered during early scanning and exploit attempts by attackers on the internet. Organizations are strongly encouraged to upgrade Log4j to version 2.16.0 immediately to mitigate the active, on-going threat.
Prior to the announcement by the ASF, multiple security companies and independent cybersecurity researchers reported active scanning and exploitation of the Log4j vulnerability, including the United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”)3, the Austrian national CERT4, the New Zealand national CERT5, and the Singapore national CERT6.
A number of security agencies, including CISA, have issued security advisories and bulletins that include detailed information that companies can use to help determine if they may be impacted by the Apache Log4j vulnerability7.
Read our paper to learn more about Log4j Vulnerability impact, affected versions, how the exploit works, and how to respond to a Log4Shell threat.
- Apache Software Foundation: Apache Log4j Security Vulnerabilities (December 2021)
- The MITRE Corporation: CVE-2021-44228 (December 2021)
- CISA: Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation (December 2021)
- Austrian CERT: Kritische 0-day Sicherheitslücke in Apache Log4j Bibliothek - Updates und Workarounds verfügbar (December 2021)
- New Zealand CERT: Log4j RCE 0—day actively exploited (December 2021)
- Singapore CERT: Zero-Day Vulnerability in Apache Java Logging Library Log4j (December 2021)
- CISA: Apache Log4j Vulnerability Guidance (December 2021)