Skip to the content.

DIVD-2021-00038 - Apache Log4j2

Our reference DIVD-2021-00038
Case lead Victor Gevers
Author Victor Pasman
Researcher(s)
CVE(s)
Product Apache log4j
Versions 2.0 <= Apache and log4j2 <= 2.15.0-rc1
Recommendation Install the latest version of log4j version 2.17.1
Patch status Full patched
Status Closed
Last modified 02 Nov 2022 21:18 CET

Summary

Apache reported a remote code execution vulnerability in Apache Log4j2, the vulnerability in the Log framework of Apache makes it possible to misuse the record log information feature. This makes it possible for an attacker to construct special data request packets through this vulnerable component, and ultimately trigger remote code execution.

What you can do

If you run Apache with version less then 2.0 or Apache and/or log4j2 less then 2.15.0-rc1 upgrade to version 2.17.1 as soon as possible.

What we are doing

We are scanning the internet for vulnerable servers, and will notify system owners via the listed abuse contacts.

Timeline

Date Description
09 Dec 2021 Lunasec reported about the vulnerability.
09 Dec 2021 Proof of Concept code becomes publicly available.
10 Dec 2021 DIVD starts scanning the internet for CVE-2021-44228.
12 Dec 2021 DIVD sent out a first batch of notifications.
13 Dec 2021 DIVD and DTACT published a open-source local scanning tool, its on Github.
17 Dec 2021 DIVD sent out a second batch of notifications.
19 Dec 2021 DIVD sent out a third batch of notifications.
05 Apr 2022 Report published and case closed
gantt title DIVD-2021-00038 - Apache Log4j2 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00038 - Apache Log4j2 (117 days) :2021-12-09, 2022-04-05 section Events Lunasec reported about the vulnerability. : milestone, 2021-12-09, 0d Proof of Concept code becomes publicly available. : milestone, 2021-12-09, 0d DIVD starts scanning the internet for CVE-2021-44228. : milestone, 2021-12-10, 0d DIVD sent out a first batch of notifications. : milestone, 2021-12-12, 0d DIVD and DTACT published a open-source local scanning tool, its on Github. : milestone, 2021-12-13, 0d DIVD sent out a second batch of notifications. : milestone, 2021-12-17, 0d DIVD sent out a third batch of notifications. : milestone, 2021-12-19, 0d Report published and case closed : milestone, 2022-04-05, 0d

More information