Apache Software Foundation organization Posted Consolidated project reports that affect critical vulnerability in Log4J 2 allowing you to perform arbitrary code on the server. The following projects are subject to Apache: Archiva, Druid, Eventmesh, Flink, Fortress, Geode, Hive, Jmeter, Jena, Jspwiki, Isone, Solr, Struts, TrafficControl and Calcite Avatica. Vulnerability also touched GitHub products, including github. COM, Github Enterprise Cloud and Github Enterprise Server.
Apache projects that do not affect vulnerability in Log4j 2: Apache Iceberg, Guacamole, Hadoop, Log4net, Spark, Tomcat, ZooKeeper and CloudStack.
Problem package users are recommended to urgently install the update released for them, separately update the version of log4j 2 or set the LOG4J2 parameter. Formatmsgnolookups to True. To block vulnerability on systems to which there are no direct access, Suggested Explit Vaccine logout4shell , which after making an attack exhibits java settings” log4j2.formatmsgnolookups = true “,” com.sun.jndi.rmi.ogject.trusturlcodebase = false “and” com.sun.jndi.cosnaming.ogject.trusturlcodebase = false “to block the further manifestation of vulnerability on unscakers.
In recent days, there has been a significant increase in activity related to the exploitation of vulnerability. For example, Check Point Company recorded on its submarine servers in the peak of about 100 attempts of operation per minute, and Sophos reported about the identification of a new botnet for mining cryptocurrencies formed from systems with a defective vulnerability in log4j 2.