Zero-day vulnerability Log4j in Apache Logging Services Project, be the headline and outbreak alert at the time. Apache run as default web server, is a very typical setup, as such, it will impact a lot of web servers out there.
As per the market share report, Nginx got 32.9%, followed with 31.5% by Apache. The rest do not even reach 25%, and Microsoft-IIS is 6.3%. So you can imagine, in the market 1/3 of the web server will be impacted, if you do not patch and update accordingly for this zero days vulnerability being used by a hacker on your web server.
It is important to act now, since it is deployed on millions of servers, this vulnerability can be exploited to allow for remote code execution and total system control on vulnerable systems. If you have yet to understand what is going on, it is good to spend some time to know about it and more importantly whether your end have any application using it or not, if yes, then you need to update it immediately due to zero day vulnerability status being posted at the time.
Technical explanation what is going on:
- The Apache Log4j 2 utility is an open source Apache framework that is a commonly used component for logging requests.
- On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version 2.14.1 or below to be compromised and allow an attacker to execute arbitrary code on the vulnerable server.
- On December 10th, 2021, NIST published a critical CVE in the National Vulnerability Database identifying this as CVE-2021-44228. The official CVSS base severity score has been determined as a severity of 10. As such every customers who manage environments containing Log4j to update to the v2.15.0 or take the mitigation actions outlined in this post.
Applicable patches and/or mitigation recommendations:
- Customers should look to upgrade to v2.15.0 of Log4j as soon as possible. If they cannot upgrade to the updated version quickly, customers should look to mitigate by setting the “No Lookups property (log4j2.formatMsgNoLookups)” to true.
E-SPIN Group in the enterprise ICT solution supply, consultancy, project management, training and maintenance for corporation and government agencies did business across the region and via the channel. Feel free to contact E-SPIN for your project requirement and inquiry.