Apache Log4j 2

Thursday, 16 December 2021

A remote code execution vulnerability (CVE-2021-44228) is affecting multiple versions of the Apache Log4j 2 library. The NCSC is aware that scanning for this vulnerability has been detected in the UK and exploitation detected elsewhere.

Log4j 2 is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications , including custom applications developed within an organisation, as well as numerous cloud services.

Who is affected by this?

Almost all software will have some form of ability to log (for development, operational and security purposes), and Log4j is a very common component used for this.

For individuals, Log4j is almost certainly part of the devices and services you use online every day. The best thing you can do to protect yourself is make sure your devices and apps are as up to date as possible and continue to update them regularly, particularly over the next few weeks.

For organisations, it may not be immediately clear that your web servers, web applications, network devices and other software and hardware use Log4j. This makes it all the more critical for every organisation to pay attention to our advice, and that of your software vendors, and make necessary mitigations.

The NCSC recommends following vendor best practice advice in the mitigation of vulnerabilities. In the case of this vulnerability CVE-2021-44228, the most important aspect is to install the latest updates as soon as practicable:

If you are using the Log4j 2 library as a dependency within an application you have developed, ensure you update to version 2.16.0 or later
If you are using an affected third-party application, ensure you keep the product updated to the latest version
The flaw can also be mitigated in previous releases (2.10 and later) by setting system property "log4j2.formatMsgNoLookups" to "true" or removing the JndiLookup class from the classpath

For more information, please refer to the NCSC website pages:

Advice and Guidance - this will be updates as more becomes available:

Alert: Apache Log4j vulnerability (CVE-2021-44228) - NCSC.GOV.UK

Log4j Vulnerability - What Everyone Needs to know:

What the Log4j vulnerability is, who is affected - NCSC.GOV.UK

To receive the latest Threat Reports and Advisories direct to your inbox sign up via the NCSC Subscription centre

Apache Log4j 2

Join the BPF

Subscribe to BPF updates

The BPF

Become a Member

Advertise

Latest Publications

BPF Structure

Plastic Industry News

News By Category

Further Information

General Updates

BPF Events

Upcoming Events

Trade Shows

Archive

Courses

Industry Issues

Position Statements

Sustainability

Further Information

Plastics Encyclopedia

Plastic Materials

Applications

Industry Guidelines

Plastic Processes

Search

Browse

Add Company

Find

BPF Resources

Member Resources

Apache Log4j 2

Join the BPF

Join BPF Mailing List

Subscribe to BPF updates