Software Industry was in a shock with the log4j2 zero day exploit.
The Apache Log4j2 version ( >=2.0 to <=2.14.1 ) is exploitable due to an attacker controlled LDAP and JNDI endpoints.
LDAP (Light Weight Directory Protocol) is an industry standard protocol to access directory services.
JNDI (Java Naming and Directory Interface) is a Java API for a directory service that allows Java software clients to discover and look up data and resources via a name.
Find more information about the vulnerability from NVD website link.
NVD (National Vulnerability Database) is maintained by National Institute of Standards and Technology (NIST), An official part of United States of America (USA) government's Department of Commerce.
Fix the vulnerability
- Even in the latest spring boot package uses the vulnerable 2.14.1 log4j2 version.
- So, we need to explicitly add the specific version in the properties as below
- In pom.xml file, creating <properties> tag if not exists and add the attribute log4j2.version with version 2.16.0 (latest)
- To check the version applied to the project, run the following command
mvn dependency:tree | grep "log4j"
- The result should look like below
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.16.0:compile[INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.16.0:compile
- The similar type of vulnerability fixes available for other project builds.
Hope you will find the above information useful and fix the issue immediately to keep the servers safe from attacks.
Send your valuable feedback and comments to firstname.lastname@example.org