HIRT-PUB21001 : Apache Log4j Vulnerability

Last Update: January 04, 2022

Multiple vulnerabilities have been found in Apache Log4j.

CVE-2021-44832: Remote Code Execution Vulnerability
Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.

CVE-2021-45105: Denial of Service Vulnerability
Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.

CVE-2021-45046: Code Execution Vulnerability
Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.

CVE-2021-44228: Remote Code Execution Vulnerability
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

hitachi-sec-2021-225 : Security information Log4j for UPS products [Japanese]
hitachi-sec-2021-226 : Security information Log4j for Hitachi Enterprise Server EP8000 Series [Japanese]
hitachi-sec-2021-315 : Security information for Hitachi Disk Array Systems

hitachi-sec-2021-145 : Vulnerability in JP1/VERITAS
hitachi-sec-2021-146 : Vulnerability in Hitachi Device Manager, Hitachi Infrastructure Analytics Advisor, Hitachi Automation Director, Hitachi Ops Center Analyzer, Hitachi Ops Center Automator and Hitachi Ops Center Administrator
hitachi-sec-2021-147 : Vulnerability in Hitachi Storage Plug-in for VMware vCenter

Hitachi ID Systems : Log4j Threat Alert

Hitachi Vantara : Security Vulnerabilities in Apache Log4j Library (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105)

The Apache Software Foundation
Apache Log4j Security Vulnerabilities
https://logging.apache.org/log4j/2.x/security.html

CERT Coordination Center

Vulnerability Note VU#930724
https://www.kb.cert.org/vuls/id/930724

CISA

Apache Log4j Vulnerability Guidance
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

Masato Terada (HIRT) and Naoko Ohnishi (HIRT)