  1. Homepage
  2. Equities
  3. United States
  4. Nasdaq
  5. Qualys, Inc.
  6. News
  7. Summary
    QLYS   US74758T3032

QUALYS, INC.

(QLYS)
  Report
Qualys : Apache Log4j2 Zero-Day Exploited in the Wild (Log4Shell)

12/10/2021 | 02:42pm EST
An exploit for a critical zero-day vulnerability affecting Apache Log4j2 known as Log4Shell was disclosed on December 9, 2021. All versions of Log4j2 versions >= 2.0-beta9 and <= 2.14.1 are affected by this vulnerability. This vulnerability is actively being exploited in the wild.

The vulnerability, when exploited, results in remote code execution on the vulnerable server. If the server has Java runtimes later than 8u121, then it is protected against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false"(see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html).

Log4j2 is a ubiquitous library used by millions for Java applications. Created by Ceki Gülcü, the library is part of the Apache Software Foundation's Apache Logging Services project.

Apache Log4j2 version 2.15.0 fixes this vulnerability. If updating the version is not possible, the following mitigation can be applied:

In Log4j version (>=2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to "true" or by removing the JndiLookup class from the classpath.

The Qualys research team is actively working on a signature for this and will publish remote unauthenticated check QID 730297 by 10 PM ET Dec 10, 2021.

Please stay tuned. We will continue to update this blog, as new updates become available.

Disclaimer

Qualys Inc. published this content on 10 December 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 10 December 2021 19:41:04 UTC.


© Publicnow 2021
