Hi all,
Software Industry was in a shock with the log4j2 zero day exploit.
Exploited area
The Apache Log4j2 version ( >=2.0 to <=2.14.1 ) is exploitable due to an attacker controlled LDAP and JNDI endpoints.
Appendix
LDAP (Light Weight Directory Protocol) is an industry standard protocol to access directory services.
JNDI (Java Naming and Directory Interface) is a Java API for a directory service that allows Java software clients to discover and look up data and resources via a name.
Find more information about the vulnerability from NVD website link.
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
NVD (National Vulnerability Database) is maintained by National Institute of Standards and Technology (NIST), An official part of United States of America (USA) government's Department of Commerce.
Fix the vulnerability
- Even in the latest spring boot package uses the vulnerable 2.14.1 log4j2 version.
- So, we need to explicitly add the specific version in the properties as below
- In pom.xml file, creating <properties> tag if not exists and add the attribute log4j2.version with version 2.16.0 (latest)
<properties>
<log4j2.version>2.16.0</log4j2.version>
</properties>
- To check the version applied to the project, run the following command
mvn dependency:tree | grep "log4j"
- The result should look like below
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.16.0:compile[INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.16.0:compile
- The similar type of vulnerability fixes available for other project builds.
Send your valuable feedback and comments to psrdotcom@gmail.com
No comments:
Post a Comment