/log4j-resources

This repository is designed to be a collection of resources to learn about, detect and mitigate the impact of the Log4j vulnerability - more formally known as CVE-2021-44228 and CVE-2021-45046 (mirror from GitLab.com)

Creative Commons Zero v1.0 UniversalCC0-1.0

πŸ’‘ Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Resources

This repository is designed to be a collection of resources to learn about, detect and mitigate the impact of the Log4j vulnerability - more formally known as CVE-2021-44228.

Below you can find a set of links to resources organized by topic area. If you want to add resources, you can fork this repository on GitLab.com and create a merge request. This repository on GitLab is mirrored to GitHub.

Table of content

❔ About the vulnerability

Apache Log4j, versions 2.0-2.14.1 have a vulnerability to remote code execution (RCE). It is remotely exploitable without authentication, i.e., attackers may exploit it over a network without the need for a username and password.

New vulnverabilities have been discovered and fixed, see Software updates below for the timeline.

πŸ“¦ Software updates

Upgrade log4j to the latest release to fix the vulnerabilities.

πŸ“„ CVE Information

πŸ’¬ Security Advisories

πŸ“– Other

πŸ”₯ Detecting the vulnerability

πŸš’ Security Vendors

πŸ—οΈ Guides

πŸ“ˆ Community tools and articles

Community projects and discussions; they have not been tested. Be advised to evaluate and asses their usability on your own.

πŸ›‘οΈ Mitigating the vulnerability

The best way to mitigate the vulnerability is to update any application using Log4j to the latest version (see Software Updates section above). However, there have been many other discussions of how to mitigate the vulnerability short of that.

  • Disable message lookups. These are availabe in Log4j 2.10 - 2.14.1 and requires restarting the process.
    • Adding -Dlog4j2.formatMsgNoLookups=true to processes running Log4j 2.10 - 2.14.1.
    • Setting an environmental variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true
  • For versions 2.0-beta9 to 2.10.0, you could remove the JndiLookup class by running the code below and restarting the process
    • zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  • Without restarting the process, you could apply this hot patch which injects a Java agent into running processes to patch the issue.