CVE-2021-44228 - Log4j RCE 0-day mitigation
On December 9, 2021, a zero-day exploit (CVE-2021-44228) affecting the Apache Log4j utility was made public, leading to remote code execution. The vulnerability is actively being exploited and users of Log4j are advised to update to version 2.15.0 as soon as possible. Alternatively, the issue can be mitigated by removing the JndiLookup class from the class path or setting specific system properties/environment variables. Cloudflare WAF customers can leverage three newly deployed rules to help mitigate exploit attempts. The situation is being monitored and managed rules will be updated accordingly. Log4j, a Java-based logging library maintained by Apache Software Foundation, is affected in all versions >= 2.0-beta9 and <= 2.14.1.
Company
Cloudflare
Date published
Dec. 10, 2021
Author(s)
Gabriel Gabor, Andre Bluehs
Word count
288
Language
English
Hacker News points
21