• Home |
  • Article |
  • Since Log4j 2 is open source software, "If you find a problem, you fix it"?

Since Log4j 2 is open source software, "If you find a problem, you fix it"?

  • By uavtechnology
  • 15 Nov 22

Iji Kakeru's follow-up commentary

(Photo: @IT)

Log4j 2 is open source software

The subject of the manga is the Log4j 2 Arbitrary Code Execution Vulnerability (CVE-2021-44228). [Other images] Four-frame cartoon---By recording a malicious character string in the log output library "Apache Log4j" used in Java, it becomes possible to execute arbitrary remote code (Remote Code Execution, RCE ), which was found to have a zero-day vulnerability on December 10th. ---In Japan, it began to become a hot topic on Twitter from December 10, 2021 (Friday), and JPCERT/CC issued a warning on Saturday. If you haven't done so yet, do so now. Please refer to the latest information on the following page for countermeasures. Apache Log4j Arbitrary Code Execution Vulnerability (CVE-2021-44228) Alert (JPCERT/CC) Apache Log4j Security Vulnerabilities (The Apache Software Foundation.)

Logging and Log4j

Software typically implements logging, or the ability to print execution records. It is used not only to investigate when a problem occurs, but also to record whether the process was executed normally and who accessed it. And from games to business systems, similar log functions are installed. If the functionality is similar, it would be inefficient for everyone to implement and "reinvent the wheel". Therefore, it is not uncommon for software to be developed as open source software, with the slogan "Let's all develop common parts and use them together." One of them implemented for Java is "Log4j". "Apache Log4j" (version 2 series, hereinafter "Log4j 2") was developed under the Apache Software Foundation as a successor to the original "Log4j" (version 1 series, hereinafter "Log4j 1"). The vulnerability of CVE-2021-44228 was found in 'Log4j 2'. Speaking of Log4j, even the author, who usually develops only in .NET, has an image of a big name. However, due to the misunderstanding that there is a vulnerability in "Apache HTTP Server" by confusing it with "Apache HTTP Server" as a more well-known web server, and the misunderstanding that "Log4j 1" and "Log4j 2" are confused , it seems that there were quite a few in-house SEs and vendor SEs who were forced to deal with the barren situation.

Next page: What kind of vulnerability is it

Page 1/6