Alibaba Cloud Computing Co., Ltd. recently discovered a remote code execution (RCE) vulnerability in the Apache Log4j2 component and reported it to the Apache Software Foundation.
See Vulnerability Notice: Apache Log4j2 Remote Code Execution Vulnerability (CVE-2021-44228/CVE-2021-45046) for more information about the vulnerability.
You can use Application Security in ARMS to enable one-click protection to monitor, block, and report attacks such as remote command execution at runtime. For instructions, see Onboard applications to Application Security. Once an application is onboarded, Application Security identifies and reports attacks that exploit the Log4j2 remote code execution (RCE) vulnerability. You can view information about the Apache Log4j2 vulnerability on the following pages.
-
In the ARMS console left-side navigation pane, choose .
On the Attack Statistics page, you can view data about attacks related to the Apache Log4j2 vulnerability.
The Attack Statistics section shows that 13 attacks were detected and 6 were blocked. The attack types include command execution and malicious DNS query. In the attack log table, you can view attack records related to the
/rasp_demo/log4j2path. The action for each of these records is Block. -
In the ARMS console left-side navigation pane, choose .
The Risky Component Detection tab lists Apache Log4j2 vulnerabilities that Application Security automatically detects and provides recommended fixes.
NoteThe Risky Component Detection feature automatically analyzes third-party component dependencies against the CVE vulnerability database and provides recommended fixes.
In the component path search box, enter
log4jto filter the results. You can view related vulnerability records, such as CVE-2017-5645 (Critical, Score: 9.80) and CVE-2020-9488 (Low, Score: 3.70), both of which involve thelog4j-api-2.6.1.jarcomponent. -
In the ARMS console left-side navigation pane, choose , and then click the Full Component Auto-check tab.
On the Full Component Auto-check tab, you can check which onboarded applications contain the Log4j component and identify their versions.
In the search results, focus on the component name and component version columns. For example, a component may be listed with the name
log4j-coreand the version2.6.1.
You can also configure an alert rule to receive attack alerts through channels such as SMS, DingTalk, or email. To create an alert rule, see Use Application Security alert rules.
By default, the protection mode for Application Security is set to Monitor. We recommend monitoring your application for a period before changing the protection mode to Monitor and Block. This ensures that any attacks are blocked immediately to protect your application. To change the protection mode, see Set the protection mode.