1.0 Introduction

Overview

A newly revealed vulnerability impacting Apache Log4j 2 versions 2.0 to 2.14.1 was disclosed on GitHub on 9 December 2021 and registered as CVE-2021-44228 with the highest severity rating.

The Problem

Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. By utilizing this vulnerability, a remote attacker could take control of the affected system.

The Impact

Gemini Data is aware of this vulnerability, has completed verification and internal Software BOM validation, and can conclude that Gemini Central (and by extension Gemini Manage), does not utilize any Java components, and thus does not utilize the log4j library, and thereby is not impacted by this vulnerability.

Precautions Regarding Other Software

For customers, who use the log4j library with other Java applications, here are some proactive measures, which they can take to reduce the risk posed by CVE-2021-44228:

• Upgrade to Apache log4j-2.1.50.rc2, as all prior 2.x versions are vulnerable.
• For Log4j version 2.10.0 or later, block JNDI from making requests to untrusted servers by setting the configuration value log4j2.formatMsgNoLookups to “TRUE” to prevent LDAP and other queries.
• Any usage of TomCat, JBoss, and other Java Servlet systems should upgrade and update to the latest patch to avoid such issue.
• Default both com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to “FALSE” to prevent Remote Code Execution attacks in Java 8u121.