View Categories

Log4Shell: 0-day Exploit in Popular Apache Logging Package Log4j 2

Stock image of a security icon
  • Dec 17, 2021
  • 0
  • by A2 Security Team

A2 Hosting is dedicated to the proactive security of your site and strives to stay on top of the latest threats to keep you informed.

Apache Log4j 2 is a Java-based logging library developed by the Apache Foundation. It is used by numerous enterprise applications and cloud services to provide advanced logging capabilities. If you have a managed hosting account, you can rest assured that we take care of server configuration and updates for you. If you have an unmanaged server, now is a good time to review your security configuration and make sure updates are installed in a timely manner.

On November 24, 2021, Alibaba Cloud’s security team reported a Log4j 2 remote code execution vulnerability to Apache. The exploit takes advantage of some Log4j functions that perform recursive analysis. With specially constructed malicious requests, attackers can trigger remote code execution.

The vulnerability impacts default configurations of several Apache frameworks, including:

  • Apache Druid
  • Apache Flink
  • Apache Solr
  • Apache Struts2

 

On December 10, 2021, this vulnerability was officially designated in the NIST national vulnerability database as CVE-2021-44228 (also known as the “Log4Shell” vulnerability).

How the Vulnerability Impacts You

Depending on the type of hosting account you have with A2 Hosting, you may or may not need to take action:

Shared, Reseller, and Managed WordPress Accounts

If you have a shared, reseller, or Managed WordPress hosting account, you do not need to do anything. These servers automatically receive frequent updates that include patches for the Log4j 2 vulnerability.

cPanel published an update to mitigate CVE-2021-44228 the same day the vulnerability was announced. For more information, see cPanel’s blog entry.

Managed VPS and Dedicated Servers

If you have a Managed VPS or Managed Dedicated server, you most likely do not need to take any action – your server is updated automatically with patches for the Log4j 2 vulnerability. The only exception is if you have installed any software utilizing log4j outside of cPanel/WHM you should ensure those installations are updated. All software installed and managed by A2 has already been updated.

cPanel published an update to mitigate CVE-2021-44228 the same day the vulnerability was announced. For more information, see cPanel’s blog entry.

Unmanaged VPS and Dedicated Servers

If you have an unmanaged VPS or unmanaged Dedicated server, make sure you keep it up-to-date with the latest security patches.

If you use Log4j 2 it is very important to ensure you have updated to the most recent version.  The first patch included another vulnerability which required a second patch.

Java 8 (or later) users should upgrade to release 2.16.0.

Java 7 users should upgrade to release 2.12.2.

More information can be found at Apache.

For information about how to install updates on unmanaged servers, please see this Knowledge Base article.

The Bottom Line

HeartbleedShellshock… The Log4j vulnerability is only the latest in a long line of security bugs. It isn’t the first, and it surely won’t be the last.

If you have a managed hosting account, you can rest assured that we take care of server configuration and updates for you. If you have an unmanaged server, now is a good time to review your security configuration and make sure updates are installed in a timely manner.

The A2 Posting