The vulnerability may give hackers an opportunity to take control of any Java-based, internet-enabled server and perform remote code execution (RCE) attacks. Nevertheless, internal servers that could be affected by the vulnerability should also be considered.

A detailed look at CVE-2021-44228: “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

The effects of this vulnerability are expected to be very far-reaching; according to the BSI, the full extent cannot yet be quantified. There are already reports that hackers are scouring the internet to identify servers that are vulnerable to exploitation.

Recommended action.

  • Update Apache >= log4j-2.15, as all earlier 2.x versions are vulnerable.
  • For Log4j version 2.10.0 or later, block JNDI requests to untrusted servers by setting the log4j2.formatMsgNoLookups configuration value to "TRUE" to prevent LDAP and other queries.
  • Set both com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to "FALSE" to prevent remote code execution attacks in Java 8u121.
  • Install developer patch (if available).
  • Implement manufacturer workarounds (if available).
  • If no solution is available, shut down the system or restrict access.

Update from 15/12/2021:

As things stand, the Log4j vulnerability can be exploited by cybercriminals to install cryptomining malware, botnets, Cobalt Strike and other malware. If this happens, corporate information can be siphoned off and sleepers can infiltrate company networks where they will lurk before becoming active at a later point in time. If an internet-enabled service’s Log4j vulnerability has been proven to be exploited, additional steps must be taken to minimise the damage, such as:

  • Recovery to a point in time before the affected service’s vulnerability was exploited (potentially also front end/back end systems) and installation of the patch and/or reinstall from a new, clean source (potentially also front end/back end systems) and install the patch
  • Exchange the cloud services API keys
  • Check network communication for unusual traffic
  • Check for potential lateral movement in the ICT landscape (threat hunting).

Please direct any questions to your Bechtle account manager or it-security@bechtle.com.

The list of affected products is constantly updated. The following sources provide an overview: