On December 9, 2021, Apache disclosed CVE-2021-44228, a remote code execution vulnerability – assigned with a severity of 10 (the highest possible risk score) – affecting Apache Log4j2, a Java-based logging framework widely used in commercial and open-source software products.
The vulnerability together with two other subsequent vulnerabilities affect versions 2.0 through 2.17.0; version 2.17.1 is not vulnerable. (CVE-2021-44228, the focus of this post was fixed by 2.15, however, CVE-2021-45046 required a fix made in 2.16 and CVE-2021-45105 a fix made in 2.17.)
Bitdefender is already seeing and monitoring several malicious actors running active exploitation campaigns.
The CVE-2021-44228 vulnerability has been assigned the highest possible risk score (CVSS 10) due to its exploitation impact (ability to remotely execute code on targeted hosts). Likely, this vulnerability will linger in computing infrastructures for an extensive period of time due to the widespread use of the Log4j2 logging framework. It is important to note this vulnerability is easy to exploit and applications using the affected Log4j2 versions are subject to an extensive attack surface. Immediate action is advisable.
Bitdefender strongly advises its customers to take immediate action and deploy all existing patches and mitigations recommended in industry vendor advisories. We also recommend the following course of action:
It is important to note this is a highly dynamic situation and many software vendors and open-source projects are still investigating the presence of Log4j2 in their software bill of materials with additional advisories expected over the coming days and weeks. Therefore, closely monitoring for vendor updates should be a critical part of your ongoing mitigation efforts.
Bitdefender is actively investigating the potential risks posed by this vulnerability to customers using our products and services. The Bitdefender security engineering and security operations teams are continuously auditing and deploying any needed mitigation countermeasures to our cloud infrastructure and products to identify and eliminate potential risks.
Since this situation is dynamic and evolving, we will continue to actively monitor for new developments and will provide further status updates and guidance to our customers as needed.
Bitdefender recommends downloading and upgrading to the Apache Log4j 2.17.1 patch at this time.
No additional risks posed by this vulnerability to customers using our products and services have been identified at this time. We continue to actively monitor and will deploy any needed mitigation countermeasures should they be required (last updated December 28, 2021).
Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide. Guardian over millions of consumer, enterprise, and government environments, Bitdefender is one of the industry’s most trusted experts for eliminating threats, protecting privacy, digital identity and data, and enabling cyber resilience. With deep investments in research and development, Bitdefender Labs discovers hundreds of new threats each minute and validates billions of threat queries daily. The company has pioneered breakthrough innovations in antimalware, IoT security, behavioral analytics, and artificial intelligence and its technology is licensed by more than 180 of the world’s most recognized technology brands. Founded in 2001, Bitdefender has customers in 170+ countries with offices around the world.View all posts
Don’t miss out on exclusive content and exciting announcements!