Log4Shell Vulnerability Update – December 13, 2021

Log4j version 1.x not impacted

There is no evidence to indicate Log4j version 1.x is impacted by this vulnerability, however, please ensure due diligence when identifying all instances of Log4j within your environment. Potential locations of Log4j includes:

• File System
• Bundled within your IBM Software
• Application code on top of IBM software
• Application code sitting outside of IBM software

Caution: Vulnerability CVE 2021-44228 was introduced at Log4j v2.0 beta9 with JNDI look up.
The Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints. JNDILookup plugin can be found here https://issues.apache.org/jira/browse/LOG4J2-313 Credit Woonsan Ko as evidenced in the change log here: Log4j – Changes (apache.org)

Versions Affected: all log4j-core versions 2.0-beta9 to 2.14.1

For impacted versions of Log4j customers are strongly recommended to consider the following immediate mitigating actions:

NOTE:  Before implementing actions below customers should test within non-production environments to ensure zero unintended impact to operations.

Releases versions 2.10 or greater setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

Releases version 2.0-beta9 to 2.10.0 remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Release version 2.7 to 2.14.1, modify all PatternLayout patterns to specify the message converter as %m{nolookups} instead of just %m.

Official source for Log4j here: https://downloads.apache.org/logging/log4j/

A current list of indicators of compromise can be found here: https://exchange.xforce.ibmcloud.com/collection/4daa3df4f73a51590efced7fb90bc949

Note: This is not a complete list and only contains what has been identified to date. If you witness any of the indications of compromise highlighted above following mitigating action, it may be the case that Log4j resides elsewhere within your environment.

If you require support to assist you in finding Log4j files within your environment &/or in the conduct of the proposed actions within this communication, please log a ticket with the Origina Support Desk.


Gain insight into industry-only news, access to webinars, tips and tricks, blog posts, podcasts, and guides, surrounding topics like cybersecurity, reducing software support and maintenance costs and much more, all delivered to your inbox each month.