[UPDATE] Zero-Day Vulnerability in Apache Java Logging Library Log4j

Update:

Please refer to our latest advisory instead: [Update] Immediate Actions to Protect Against Exploitation of the Apache Java Logging Library Log4j Vulnerability.

Security researchers have discovered a zero-day vulnerability in the Apache Java logging library Log4j (CVE-2021-44228). A proof-of-concept exploit has also been published. Successful exploitation could allow an attacker to gain full control of the affected servers.

System administrators using Apache Log4j versions between 2.0 and 2.14.1 are advised to upgrade to the latest version 2.15.0 immediately. The patch is available for download here: https://logging.apache.org/log4j/2.x/download.html

As the latest patch version of Log4j 2.15.0 requires Java 8, system administrators using Java 7 will be required to upgrade to Java 8. Alternatively, system administrators may reconfigure affected servers with "log4j2.formatMsgNoLookups" set to "true" when starting the Java virtual machine, and closely monitor the servers for any suspicious activity.

More information is available here:
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/
https://auscert.org.au/bulletins/ASB-2021.0244
https://www.randori.com/blog/cve-2021-44228/