-
Notifications
You must be signed in to change notification settings - Fork 0
Apache Log4j Multiple Vulnerabilities
Fabien edited this page May 22, 2024
·
1 revision
Apache Log4j is a widely used logging framework in Java-based applications, which has been subject to multiple vulnerabilities over the years. These vulnerabilities can lead to severe risks including remote code execution, information disclosure, and denial of service (DoS) attacks.
- Severity: Critical test
- Remote Code Execution (RCE): Allows attackers to execute arbitrary code remotely, potentially taking control of affected systems.
- Information Disclosure: Vulnerabilities could allow unauthorized access to sensitive information logged by Log4j.
- Denial of Service (DoS): Certain flaws can be exploited to make the application or server unresponsive, disrupting services.
- Inadequate Input Validation: Many vulnerabilities arise from Log4j not properly sanitizing inputs that are logged.
- Outdated Components: Using older, unpatched versions of Log4j that contain known vulnerabilities.
- Configuration Errors: Misconfigurations in Log4j can expose systems to higher risks of exploitation.
Immediate Actions to Mitigate Log4j Vulnerabilities:
- Patch and Update:
- Regularly update Log4j to the latest version to address newly discovered vulnerabilities. Monitor Apache's official communications for patch releases.
- Secure Configuration:
- Review and adjust Log4j configurations to disable unnecessary functionalities and ensure safe logging practices are enforced.
- Dependency Management:
- Use tools like OWASP Dependency Check to identify and remediate outdated or vulnerable versions of Log4j in your projects.
- Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)
- Apache Log4j 2.0 < 2.3.2 / 2.4 < 2.12.4 / 2.13 < 2.17.1 RCE
- Apache Log4j 2.x < 2.16.0 RCE
- Apache Log4j 2.x < 2.17.0 DoS
- Apache Log4j SEoL (<= 1.x)
N/A
- Home - Return to this main page.
- Explore detailed vulnerability categories and entries via the sidebar.
- Microsoft Teams < 1.6.0.11166 Information Disclosure↗
- Microsoft Teams < 1.6.0.18681 RCE↗
- Microsoft Windows Unquoted Service Path Enumeration↗
- Microsoft XML Parser (MSXML) and XML Core Services Unsupported↗
- Security Updates for Microsoft .NET Framework↗
- Security Updates for Microsoft Office Products C2R↗
- Security Updates for Microsoft SQL Server↗
- Windows Defender Antimalware/Antivirus Signature Definition Check↗
- Windows Speculative Execution Configuration Check↗
- WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation↗
- SSL Certificate Cannot Be Trusted↗
- SSL Certificate Chain Contains RSA Keys Less Than 2048 bits↗
- SSL Certificate with Wrong Hostname↗
- SSL Medium Strength Cipher Suites Supported (SWEET32)↗
- SSL Self-Signed Certificate↗
- SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)↗
- TLS Version 1.0 Protocol Detection↗
- TLS Version 1.1 Protocol Deprecated↗
- Apache 2.4.x < 2.4.58 Multiple Vulnerabilities↗
- Apache Log4j Vulnerabilities↗
- Apache Solr Unauthenticated Access Information Disclosure↗
- Apache Struts Vulnerabilities↗
- Apache Tomcat Vulnerabilities↗
- Amazon Corretto Java 11.x < 11.0.19.7.1 Multiple Vulnerabilities↗
- OpenJDK Vulnerabilities↗
- Oracle Java SE Vulnerabilities↗
- 7-Zip < 23.00 Multiple Vulnerabilities↗
- Adobe Acrobat Vulnerabilities↗
- AMQP Cleartext Authentication↗
- Artifex Ghostscript < 10.2.1 DoS↗
- Chargen UDP Service Remote DoS↗
- Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)↗
- Echo Service Detection↗
- HSTS Missing From HTTPS Server (RFC 6797)↗
- HTTP TRACE / TRACK Methods Allowed↗
- Insecure Windows Service Permissions↗
- Keepass < 2.54 Information disclosure↗
- Notepad++ < 8.5.7 Multiple Buffer Overflow Vulnerabilities↗
- Quote of the Day (QOTD) Service Detection↗
- VMware Tools 10.3.x / 11.x / 12.x < 12.3.5 Token Bypass↗
- X Server Detection↗
- Template -> Use this template for new vulnerabilities