Important: Security Vulnerability CVE-2021-44832
Summary: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
Details
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to
a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can
construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute
remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1,
2.12.4, and 2.3.2.
Mitigation
Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later)
Reference
Please refer to the Security Page
for details and mitigation measures for older versions of Log4j.
Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228
Please refer to the Security Page for details
and mitigation measures for these security issues.
Apache Log4j 2
Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j
1.x, and provides many of the improvements available in Logback while fixing some inherent problems in
Logback's architecture.
Some of the features and improvements in Log4j 2 are:
- API Separation
-
The API for Log4j is separate from the implementation making it clear for application developers
which classes and methods they can use while ensuring forward compatibility. This allows the
Log4j team to improve the implementation safely and in a compatible manner.
- Improved Performance
-
Log4j 2 contains next-generation Asynchronous Loggers based
on the LMAX Disruptor library. In multi-threaded scenarios
Asynchronous Loggers have 18 times higher throughput and
orders of magnitude lower latency than Log4j 1.x and Logback.
See Asynchronous Logging Performance
for details.
Otherwise, Log4j 2 performs faster than Log4j 1.x in critical areas
and similarly to Logback under most circumstances.
See Performance for more information.
- Support for multiple APIs
-
While the Log4j 2 API will provide the best performance, Log4j 2 provides support for the SLF4J and
Commons Logging APIs.
- Automatic Reloading of Configurations
-
Like Logback, Log4j 2 can automatically reload its configuration upon modification. Unlike Logback,
it will do so without losing log events while reconfiguration is taking place.
- Advanced Filtering
-
Like Logback, Log4j 2 supports filtering based on context data, markers, regular expressions,
and other components in the Log event. Filtering can be specified to apply to all events
before being passed to Loggers or as they pass through Appenders. In addition, filters can also
be associated with Loggers. Unlike Logback, you can use a common Filter class in any of these
circumstances.
- Plugin Architecture
-
Log4j uses the plugin pattern to configure components. As such, you do not need to write code
to create and configure an Appender, Layout, Pattern Converter, and so on. Log4j automatically
recognizes plugins and uses them when a configuration references them.
- Property Support
-
You can reference properties in a configuration, Log4j will directly replace them, or Log4j will
pass them to an underlying component that will dynamically resolve them. Properties come from values
defined in the configuration file, system properties, environment variables, the ThreadContext
Map, and data present in the event. Users can further customize the property providers by
adding their own Lookup Plugin.
Documentation
The Log4j 2 User's Guide is available on this site or as a downloadable
PDF.
Requirements
Log4j 2 requires Java 6.
Some features require optional dependencies; the documentation for these features specifies the
dependencies.
News
Log4j 2 is now available for production. The API for Log4j 2 is not compatible with Log4j 1.x, however an adapter
is available to allow applications to continue to use the Log4j 1.x API. Adapters are also available for
Apache Commons Logging and SLF4J.
|