DIVD-2021-00038 - Apache Log4j2
|Case lead||Victor Gevers|
|Versions||2.0 <= Apache and log4j2 <= 2.15.0-rc1|
|Recommendation||Install the latest version of log4j version 2.17.1|
|Patch status||Full patched|
|Last modified||02 Nov 2022 21:18|
Apache reported a remote code execution vulnerability in Apache Log4j2, the vulnerability in the Log framework of Apache makes it possible to misuse the record log information feature. This makes it possible for an attacker to construct special data request packets through this vulnerable component, and ultimately trigger remote code execution.
What you can do
If you run Apache with version less then 2.0 or Apache and/or log4j2 less then 2.15.0-rc1 upgrade to version 2.17.1 as soon as possible.
What we are doing
We are scanning the internet for vulnerable servers, and will notify system owners via the listed abuse contacts.
|09 Dec 2021||Lunasec reported about the vulnerability.|
|09 Dec 2021||Proof of Concept code becomes publicly available.|
|10 Dec 2021||DIVD starts scanning the internet for CVE-2021-44228.|
|12 Dec 2021||DIVD sent out a first batch of notifications.|
|13 Dec 2021||DIVD and DTACT published a open-source local scanning tool, its on Github.|
|17 Dec 2021||DIVD sent out a second batch of notifications.|
|19 Dec 2021||DIVD sent out a third batch of notifications.|
|05 Apr 2022||Report published and case closed|
gantt title DIVD-2021-00038 - Apache Log4j2 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00038 - Apache Log4j2 (117 days) :2021-12-09, 2022-04-05 section Events Lunasec reported about the vulnerability. : milestone, 2021-12-09, 0d Proof of Concept code becomes publicly available. : milestone, 2021-12-09, 0d DIVD starts scanning the internet for CVE-2021-44228. : milestone, 2021-12-10, 0d DIVD sent out a first batch of notifications. : milestone, 2021-12-12, 0d DIVD and DTACT published a open-source local scanning tool, its on Github. : milestone, 2021-12-13, 0d DIVD sent out a second batch of notifications. : milestone, 2021-12-17, 0d DIVD sent out a third batch of notifications. : milestone, 2021-12-19, 0d Report published and case closed : milestone, 2022-04-05, 0d