Log4j is a Reliable, Fast and Flexible Logging Framework (APIs) Written in Java and Introduced in 2013. This Log4j library is prevalent in java projects.First vulnerability discovered 2021.The vulnerability is called Log4 Shell. The CVSS Score for Log4j is Critical range.
Apache Log4j is Vulnerable to RCE (Remote Control Execution) via JDBC Appender when the attacker controls configuration. This vulnerability occurs when An attacker who can control log messages or log message parameters and can execute arbitrary code 7loaded from LDAP servers when message lookup substitution is enabled.
We strongly recommend using Log4j 2.12.2 (for Java 7) and 2.16.0 (for Java 8 or later) as the message lookups feature has been completely removed. In addition, JNDI is disabled by default and other default configuration settings are modified to mitigate CVE-2021-44228 and CVE-2021-45046. Additionally we strongly recommend For Log4j 1, Remove the JMS Appender class or do not configure it. Log4j 1 is not supported and likely contains unfixed bugs and vulnerabilities (such as CVE-2019-17571). For applications, services, and systems that use Log4j, consult our expert team located at Asia, Europe, USA & in Africa for more details connected at info@wissenbaum.com