Log4J 2.17.0 is Vulnerable to RCE. Upgrade to 2.17.1

I know the wish list of all Java developers for Santa starts with "No more Log4J vulnerabilities". However sometimes even Santa cannot fulfill all your wishes. A new security vulnerability was found in Log4J 2.0-alpha7 to 2.17.0 excluding 2.3.2 and 2.12.4.

The new vulnerability allows Remote Code Execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

Log4J 2.17.0 is Vulnerable to RCE. Upgrade to 2.17.1

Unlike the CVE-2021-44228 that triggered the domino effect of Log4J vulnerabilities, CVE-2021-44832 is marked as a moderated risk since it requires access to your Log4J configuration. For those who don't know, projects using Log4J with the CVE-2021-44228 vulnerability can be exploited by submitting modified HTTP requests. On the other hand, CVE-2021-44832 requires direct access to the Log4J configuration for an outsider. If somebody got the access to your system to modify the Log4J configuration, you are already doomed. Therefore, you may not need to rush to apply the patch if your system is already secure enough.

Similar to CVE-2021-44228 and CVE-2021-45105, CVE-2021-44832 also affects log4j-core only.

The CVE-2021-44832 issue particularly hasn't affect Log4J 1.x versions. However, Log4J 1.x is not maintained anymore and do not expect any security patches in case if a security vulnerability is found in the future. Based on Java versions, upgrade to the latest version with the fix for all known security vulnerabilities so far.

Java VersionLatest Log4J Version
Java 8 and laterLog4j 2.17.1
Java 7Log4j 2.12.4
Java 6Log4j 2.3.2


The latest Log4J versions in the above table have fixed the issue by limiting JNDI data source names to the java protocol.

Let me repeat the process for developers to identify the vulnerable Log4J versions.

Run the following command from your project folder.

mvn dependency:tree

Any Log4J dependency with a version less than 2.17.1 is most likely vulnerable or unmaintained. Maven central repository has a new column with the number of vulnerabilities in each Log4j version.

Log4J 2.17.0 is Vulnerable to RCE. Upgrade to 2.17.1

If you encounter any vulnerable Log4j versions as your direct dependencies defined in your pom file, or in your parent pom file, upgrade them immediately. Remember by defining the following dependency in your pom file, you can override the dependency defined in your parent pom file.

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.17.1</version>
</dependency>


Log4J 2.17.0 is Vulnerable to RCE. Upgrade to 2.17.1 
Image Credits: Google

A vulnerable Log4J library can be buried under a multi-level dependency tree. If any of your libraries are using a vulnerable dependency, look for their latest fixed versions or talk to your security team.

Read More

Goodbye Log4j

ALERT Dec 16th 2021: How to Fix Log4J Vulnerability.
 
ALERT Dec 18th 2021: Log4J 2.16.0 is vulnerable to DoS attack. Switch to 2.17.0. For more details: Log4J 2.16.0 is Vulnerable to DoS. Switch to 2.17.0.
 
ALERT Dec 29th 2021: Log4J 2.17.0 is vulnerable to RCE attack. Switch to 2.17.1. For more details: Log4J 2.17.0 is Vulnerable to RCE. Upgrade to 2.17.1. 

This article is an old post introducing SLF4J. You can still refer it to learn more about SLF4J. For Log4J vulnerability related posts, check these links:
 
After seeing so many students in last four years, I have decided to write this article about the new loggers which are widely being used by the industry. Almost all the university students I have seen are familiar with Log4j 1.x (at least heard about it) but most of them even did not hear about SLF4J and Logback. The purpose of this article is introducing SLF4J and Logback and convincing you towards them. Before getting into the topic, be informed that Log4j 1.x is not being maintained after August 5, 2015 and Ceki Gülcü the developer of Log4j came up with the new tools SLF4J and Logback. Technically, Logback is an enhanced successor of Log4j and performs better than Log4j.

He did a good job, but we have to move forward.
Read More

Log4J 2.16.0 is Vulnerable to DoS. Upgrade to 2.17.0.

ALERT: Log4J 2.17.0 is vulnerable to RCE attack. Switch to 2.17.1. For more details: Log4J 2.17.0 is Vulnerable to RCE. Upgrade to 2.17.1.

Dear Java Developers, cancel your holiday plans. Another Log4j vulnerability was reported on December 16th Thursday and a new Log4j version is released with the patch on December 18th Saturday. Log4J 2.16.0 is no longer safe.

The new vulnerability independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro’s Zero Day Initiative, and another anonymous vulnerability researcher allows denial of service attack on systems using Log4j 2.0-beta9 to 2.16.0. Remember that Log4j 2.16.0 was released last week to fix the CVE-2021-44228 vulnerability and chances are high for most of the Java projects already being upgraded to Log4j 2.16.0 which is vulnerable to DoS attack now.


Log4J 2.16.0 is Vulnerable. Switch to 2.17.0

Similar to the previous vulnerability, the CVE-2021-45105 doesn't mean everyone using Log4j 2.0-beta9 to 2.16.0 is vulnerable. This uncontrolled recursion from self-referential lookups bug affects only if your Log4j configuration has Context Lookups like ${ctx:loginId} or $${ctx:loginId}. Though removing such context lookups where they originate from sources external to the application such as HTTP headers or user input is one way to solve the issue, it is recommended to replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC). Instead, you can upgrade to the latest Log4j version 2.17.0.

Similar to CVE-2021-44228, CVE-2021-45105 also affects log4j-core only.

Last Friday, Google published a blog post claiming more than 35,000 Java packages in the Maven Central repository are affected by Log4j vulnerability. By the time of publishing that article only 5000 artifacts were patched. That leaves 30,000 packages hanging around with vulnerable Log4j dependency. Google also mentioned that in more than 80% of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down). This makes fixing them hard as a package maintainer you have to rely on your dependency maintainer to publish a fixed version.

Coming to the projects you have control over, you have to go through the same cycle once more to upgrade all your Log4j dependencies to the latest version 2.17.0.

Let me repeat the process for developers to identify the vulnerable Log4J versions.

Run the following command from your project folder.

mvn dependency:tree

Any Log4J dependency with a version less than 2.17.0 is most likely vulnerable or unmaintained. Maven central repository has a new column with the number of vulnerabilities in each Log4j version.

Log4J 2.16.0 is Vulnerable to DoS. Switch to 2.17.0.

If you encounter any vulnerable Log4j versions as your direct dependencies defined in your pom file, or in your parent pom file, upgrade them immediately. Remember by defining the following dependency in your pom file, you can override the dependency defined in your parent pom file.

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.17.0</version>
</dependency>


Log4J 2.16.0 is Vulnerable. Switch to 2.17.0 
Image Credits: Google

A vulnerable Log4J library can be buried under a multi-level dependency tree. If any of your libraries are using a vulnerable dependency, look for their latest fixed versions or talk to your security team.

Read More

How to Fix Log4J Vulnerability

ALERT 1: Log4J 2.16.0 is vulnerable to DoS attack. Switch to 2.17.0. For more details: Log4J 2.16.0 is Vulnerable to DoS. Switch to 2.17.0.


ALERT 2: Log4J 2.17.0 is vulnerable to RCE attack. Switch to 2.17.1. For more details: Log4J 2.17.0 is Vulnerable to RCE. Upgrade to 2.17.1.

 

Log4j security vulnerability has stolen the sleep of developers over the last week. Though it is a little late, this article explains how to identify if your project is using Log4j and how to fix the problem. Let's start with the problem description: In Apache Log4j2 versions up to and including 2.14.1 (excluding security release 2.12.2), the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

How to fix Log4J Vulnerability

 

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.


Though the Log4j you are using in your project is vulnerable doesn't mean that your project is vulnerable. If you are behind a firewall with no external access or if you don't log any user inputs, chances to attack your system are slim. However, it doesn't mean you can relax since it is always a best practice to fix vulnerabilities in the project regardless of whether you are affected or not.


Read More

Run Apache NiFi in Docker

Running Apache NiFi in Docker is a simple and hassle-free process if you know the port to access. This article explains how to get Apache NiFi running in Docker on a Linux machine. If you don't have already, install Docker first.

Run Apache NiFi in Docker
Read More

Install Oracle JDK 17 on Linux

Even though OpenJDK is available in Linux repositories, some applications strictly require Oracle Java Development Kit. This article shows you how to manually install Oracle JDK $java_version on your Linux system. This article uses JDK $java_version$java_update_no to demonstrate the installation. In the provided commands, replace the version specific paths and file names according to your downloaded version.

Version specific installation guides are available here:


Install Oracle JDK $java_version on Linux

Oracle provides deb and rpm installers
If your Linux distribution is using DEB package format like Debian, you can download and install the jdk-$java_version$java_update_no_linux-x64_bin.deb file using the following command:
sudo dpkg -i jdk-$java_version_linux-x64_bin.deb
If your  Linux distribution is using RPM package format like Cent OS, you can download and install the jdk-$java_version_linux-x64_bin.rpm file using the following command:
sudo rpm -ivh jdk-$java_version_linux-x64_bin.rpm

However, this article explains the manual installation method which is applicable for all Linux distributions out there. Personally, I prefer the manual installation because I have more control over the changes made in the system.


Read More

Install MySQL 8 on Ubuntu/Linux Mint

Ubuntu official software repository provides MySQL 5.x which can be installed by following the article: Install MySQL with phpMyAdmin on Ubuntu. However the latest release of MySQL: 8.x, requires you to manually add the software repository into your system which makes the installation process little tricky. This article walks you through the end-to-end installation process of MySQL 8.

Install MySQL 8 on Ubuntu/Linux Mint


Read More

Install Docker on Ubuntu/Linux Mint/PopOS

The official docker installation guide provides commands to install the latest Docker on Ubuntu machines but the command to add the docker repository is too specific to Ubuntu. In this article you will find a step by step guide to install the latest Docker using the official PPA on Ubuntu or any Ubuntu derivatives such as Linux Mint, Elementary OS, Pop OS, etc.

Read More

Create Scala Project with Maven in IntelliJ Idea

Every Scala developer out there knows SBT is the default build tool for Scala but there may be some situations limiting you to stick with the famous build tool for Java: Apache Maven. Haven't come across a reason to use Maven for Scala projects yet? Keep using SBT. However, if your team decides to use Apache Maven because it works well with their CI server or because they have a well-established development environment with Apache Maven, you have no choice and this article is here to help you.
Create Scala with Maven Project in IntelliJ Idea
Creating a Scala project using Apache Maven in the command-line is easy. Just run the following command, answer the questions in the interactive shell and you are good to go. Install Apache Maven on Linux to run mvn from the terminal.
mvn archetype:generate -DarchetypeGroupId=net.alchim31.maven -DarchetypeArtifactId=scala-archetype-simple
However, why should we switch to the terminal just to create a project and then switch back to the IntelliJ Idea and import the project to continue the development? In this article, you will see how to prepare your IntelliJ Idea to create Scala projects with Apache Maven.
Read More

Install Oracle JDK 16 on Linux

Even though OpenJDK is available in Linux repositories, some applications strictly require Oracle Java Development Kit. This article shows you how to manually install Oracle JDK $java_version on your Linux system. This article uses JDK $java_version$java_update_no to demonstrate the installation. In the provided commands, replace the version specific paths and file names according to your downloaded version.

Version specific installation guides are available here:


Install Oracle JDK $java_version on Linux

Oracle provides deb and rpm installers
If your Linux distribution is using DEB package format like Debian, you can download and install the jdk-$java_version$java_update_no_linux-x64_bin.deb file using the following command:
sudo dpkg -i jdk-$java_version$java_update_no_linux-x64_bin.deb
If your  Linux distribution is using RPM package format like Cent OS, you can download and install the jdk-$java_version$java_update_no_linux-x64_bin.rpm file using the following command:
sudo rpm -ivh jdk-$java_version$java_update_no_linux-x64_bin.rpm

However, this article explains the manual installation method which is applicable for all Linux distributions out there. Personally, I prefer the manual installation because I have more control over the changes made in the system.


Read More

Download Files in Android - Kotlin & Java

Unless you are writing a Download Manager, downloading files in an Android application is never going to be the main business logic to solve but based on the requirement, you may need to download metafiles, media files, or documents over the Internet within your Android application. However, a reliable solution to download files in an Android application poses its own challenges including but not limited to the following list:


1. Thread Management

IO operations must be executed in a separate thread. Though there are plenty of options to achieve this such as now deprecated AsyncTask, Kotlin coroutines, or RxJava, still complex for a novice developer to properly handle the concurrency problems. Sending signals to the downloading thread to cancel or pause the download may introduce additional synchronization issues.


2. Error Handling

What if the Internet connection dropped while downloading the file? What if the application is closed while downloading/saving the file? How to handle all HTTP errors? the list goes on. Addressing all these scenarios is tedious and most of the time not possible.


3. Updating the UI

While downloading the file in a separate thread, updating a progress bar in the main thread is a challenge unless the concurrency framework you use provides an easy way. The same goes to update the UI after the file is downloaded.

Read More

Java is Dead! Once More

Programming languages are ranked based on different criteria. For example, Stack Overflow lists programming languages based on the number of questions and answers; while it is a clear indication of the recent popularity of a language, already matured languages not necessarily require the developers to search for "how to write a loop". Similarly, the famous index Tiobe lists Java as the second most popular language next to C at the time of writing this article. Tiboe ranks programming languages based on the number of skilled engineers world-wide, courses, and third-party vendors. Popular search engines such as Google, Bing, Yahoo!, Wikipedia, Amazon, YouTube, and Baidu are used to calculate the ratings. It is important to note that the TIOBE index is not about the best programming language or the language in which most lines of code have been written.


Coming to the point, recently I saw an index claiming Python took the first place pushing Java to the second place. Nothing to worry; good for Python! The programming language war is never-ending like the Linux distribution war. Fanboys always claim that their language is superior to any other language. This article analyzes if Java is dying and is Python replacing Java so that you can learn and live with Python only. I am comparing Python against Java because of the most recent claims I've seen over the internet but the core idea remains the same for any language out there.


Read More

Install the Latest Oracle JDK on Mac

This article shows you how to install Oracle JDK $java_version on your Mac system. This article uses JDK $java_version$java_update_no to demonstrate the installation. In the provided commands, replace the version specific paths and file names according to the downloaded version.

Oracle provides a Mac installer and a binary file.This article explains how to install Oracle JDK using the mac installer and how to set the JAVA_HOME variable.

Install Oracle JDK $java_version on Linux

Read More

Running Docker Without Sudo on Linux

After installing Docker on Linux, you may get a permission denied message as shown below when you try to run your first docker command:

docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.

You can solve this problem by running Docker with root privileges (using sudo). However, by following these simple steps given below, you can run docker without root privileges.

Running Docker Without Sudo on Linux
Read More

Contact Form

Name

Email *

Message *