On December 9, 2021, Apache disclosed CVE-2021-44228, a remote code execution vulnerability – assigned with a severity of 10 (the highest possible risk score) – affecting Apache Log4j2, a Java-based logging framework widely used in commercial and open-source software products.
The vulnerability together with two other subsequent vulnerabilities affect versions 2.0 through 2.17.0; version 2.17.1 is not vulnerable. (CVE-2021-44228, the focus of this post was fixed by 2.15, however, CVE-2021-45046 required a fix made in 2.16 and CVE-2021-45105 a fix made in 2.17.)
Bitdefender is already seeing and monitoring several malicious actors running active exploitation campaigns.
The CVE-2021-44228 vulnerability has been assigned the highest possible risk score (CVSS 10) due to its exploitation impact (ability to remotely execute code on targeted hosts). Likely, this vulnerability will linger in computing infrastructures for an extensive period of time due to the widespread use of the Log4j2 logging framework. It is important to note this vulnerability is easy to exploit and applications using the affected Log4j2 versions are subject to an extensive attack surface. Immediate action is advisable.
Bitdefender strongly advises its customers to take immediate action and deploy all existing patches and mitigations recommended in industry vendor advisories. We also recommend the following course of action:
It is important to note this is a highly dynamic situation and many software vendors and open-source projects are still investigating the presence of Log4j2 in their software bill of materials with additional advisories expected over the coming days and weeks. Therefore, closely monitoring for vendor updates should be a critical part of your ongoing mitigation efforts.
Bitdefender is actively investigating the potential risks posed by this vulnerability to customers using our products and services. The Bitdefender security engineering and security operations teams are continuously auditing and deploying any needed mitigation countermeasures to our cloud infrastructure and products to identify and eliminate potential risks.
Since this situation is dynamic and evolving, we will continue to actively monitor for new developments and will provide further status updates and guidance to our customers as needed.
Bitdefender recommends downloading and upgrading to the Apache Log4j 2.17.1 patch at this time.
No additional risks posed by this vulnerability to customers using our products and services have been identified at this time. We continue to actively monitor and will deploy any needed mitigation countermeasures should they be required (last updated December 28, 2021).
Technical Advisory: Zero-day critical vulnerability in Log4j2 exploited in the wild
Bitdefender is a global security technology company that delivers solutions in more than 100 countries through a network of value-added alliances, distributors and reseller partners. Since 2001, Bitdefender has consistently produced award-winning business and consumer security technology, and is a leading security provider in virtualization and cloud technologies. Through R&D, alliances and partnership teams, Bitdefender has elevated the highest standards of security excellence in both its number-one-ranked technology and its strategic alliances with the world’s leading virtualization and cloud technology providers.View all posts
June 02, 2023
Don’t miss out on exclusive content and exciting announcements!