Help Center/ Container Guard Service/ FAQs/ Product Consultation/ Can CGS Detect Apache Log4j2 Remote Code Execution Vulnerabilities?
Updated on 2022-04-01 GMT+08:00

Can CGS Detect Apache Log4j2 Remote Code Execution Vulnerabilities?

Detection of the Apache Log4j2 Remote Code Execution Vulnerability

On December 16, Apache announced that in versions earlier than 2.16.0, there was a remote code execution vulnerability (CVE-2021-45046).

Apache Log4j2 is a widely used Java-based logging utility. If you are an Apache Log4j2 user, check your system and implement timely security hardening.

Reference: https://logging.apache.org/log4j/2.x/security.html

  • Severity: important (Severity levels: low, moderate, important, and critical)
  • Affected versions: all versions later than 2.0-beat9 and earlier than 2.16.0, excluding 2.12.2
  • Upgrade affected applications and components, such as spring-boot-starter-log4j2, Apache Solr, Apache Flink, and Apache Druid.
  • Secure versions: Apache Log4j 1.x and Apache Log4j 2.16.0
  • Vulnerability handling

    This vulnerability has been fixed in the official version. Upgrade all applications related to Apache Log4j2 to a secure version as soon as possible. Link: https://logging.apache.org/log4j/2.x/download.html

    Java 8 (or later) users should upgrade to release 2.16.0.

    Java 7 users should upgrade to release 2.12.2.

    Huawei Cloud Container Guard Service (CGS) can scan private images for the vulnerability. The basic edition is free of charge. Log in to the CGS console, choose Image Security, click the Image Vulnerabilities tab, and click the Private Image Vulnerabilities tab. For details, see Managing Private Image Vulnerabilities.

    • If the upgrade cannot be performed in a timely manner, run the following command to remove the JndiLookup class from the classpath, and restart the service.

      zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

    • Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.