OSG-SEC-2021-12-13 CRITICAL Severity Vulnerability in Java library Log4j
Dear OSG Security Contacts,
A new vulnerability has been found in the Java Log4j library which allows a remote attacker to execute arbitrary code on a server if the system logs an attacker-controlled string value [1]. Proof of Concept for this attack is available and it is being actively exploited. Due to the widespread nature of this vulnerability and the ease of exploitation the OSG Security Team considers this vulnerability to be of CRITICAL severity for affected systems.
IMPACTED VERSIONS:
Any java based web service running a Log4j version prior to 2.15.0.
WHAT ARE THE VULNERABILITIES:
Any java-based web service that uses log4j for logging is potentially vulnerable to a remote code execution flaw which allows a remote attacker to execute a remote payload with a simple command.
A list of known affected services is being compiled [2], at present this includes Apache Solr, Druid, Flink, as well as Logstash, ElasticSearch, and Kafka. The full attack surface has not yet been identified.
At this point we do not believe the OSG software stack, dCache, or VOMS admin to be vulnerable to this attack.
WHAT YOU SHOULD DO:
As soon as possible, identify any services running log4j affected versions and update to version 2.15.0 or higher [3][4][5].
If you are using a version older than 2.15.0 and cannot upgrade a temporary mitigation may be available [6].
REFERENCES
[1] https://www.lunasec.io/docs/blog/log4j-zero-day/ [2] https://github.com/YfryTchsGD/Log4jAttackSurface [3] https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0 [4] https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/ [5] https://logging.apache.org/log4j/2.x/download.html [6] https://www.lunasec.io/docs/blog/log4j-zero-day/#temporary-mitigation
Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team