A critical vulnerability (CVE-2021-44228) has been discovered in Log4j which is a very popular logging framework in Java. The security hole has been named Log4Shell. The framework is used by many companies of all sizes and the security hole is therefore having a large impact worldwide.
⚠️ We have already protected all of our hosting servers. If you have a do-it-yourself server with us, it is important that you patch it if you use Log4j. Read more below.
Information about the security hole was publicly released on December 9, 2021. Security holes are rated according to their severity and Log4Shell has been given the maximum rating of 10.0.
Most major companies in the world are affected, including companies like Apple, Cloudflare, Amazon, Google, IBM, Tesla and others. GitHub maintains a list of affected companies and services.
Many people are currently looking extra at the code of Log4j and since the news was released additional security holes have been found which have also been fixed in new versions. We will update this news regularly.
Our servers are patched
Our hosting servers, all managed servers and internal systems are patched.
We are using Apache Solr to speed up email search. This in turn uses Log4j.
The service itself is only accessible locally from the server, requires authentication and is set up as a separate user without administrator privileges. This makes the attack surface very small to begin with.
We have not seen any traces of intrusion at our site.
If you have a do-it-yourself server
If you have a server in our “Do-it-yourself” service, it is very important that you make sure to patch all services that may be vulnerable on your server.
On GitHub you can find a list of applications that have confirmed vulnerabilities. It is updated continuously as new ones are found and confirmed. Please keep an eye on it for some time to come.
How do you close the security hole?
Closing and mitigating the security hole is easy. Keep in mind that in addition to plugging, you should check that no one has exploited it.
If personal or customer data has been exposed, you may need to notify both your customers and the relevant authorities.
You have three options:
1. Upgrade to Log4j v2.17.0
2. If you cannot update and are using Log4j v2.10 or above, you can also change the configuration as follows:
log4j2.formatMsgNoLookups=true
It is also possible to set an ENV variable to the same result.
LOG4J_FORMAT_MSG_NO_LOOKUPS=true
3. You can also remove the JndiLookup class from the classpath. For example, by running a similar command that removes it from log4j-core:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.classOnce you have done any of the above, you will need to restart all services that use log4j.
In an earlier version of this article we told you that version 2.15.0 might be a solution. On 15 December it was noted that it does not fully protect either. So you should upgrade to version 2.16.0.