Apache Log4j2 remote code execution vulnerability (CVE-2021-44228)

更新时间:
复制 MD 格式

Alibaba Cloud Computing Co., Ltd. recently discovered a remote code execution (RCE) vulnerability in the Apache Log4j2 component and reported it to the Apache Software Foundation.

See Vulnerability Notice: Apache Log4j2 Remote Code Execution Vulnerability (CVE-2021-44228/CVE-2021-45046) for more information about the vulnerability.

You can use Application Security in ARMS to enable one-click protection to monitor, block, and report attacks such as remote command execution at runtime. For instructions, see Onboard applications to Application Security. Once an application is onboarded, Application Security identifies and reports attacks that exploit the Log4j2 remote code execution (RCE) vulnerability. You can view information about the Apache Log4j2 vulnerability on the following pages.

  • In the ARMS console left-side navigation pane, choose Application Security > Attack Statistics.

    On the Attack Statistics page, you can view data about attacks related to the Apache Log4j2 vulnerability.

    The Attack Statistics section shows that 13 attacks were detected and 6 were blocked. The attack types include command execution and malicious DNS query. In the attack log table, you can view attack records related to the /rasp_demo/log4j2 path. The action for each of these records is Block.

  • In the ARMS console left-side navigation pane, choose Application Security > Risky Component Detection.

    The Risky Component Detection tab lists Apache Log4j2 vulnerabilities that Application Security automatically detects and provides recommended fixes.

    Note

    The Risky Component Detection feature automatically analyzes third-party component dependencies against the CVE vulnerability database and provides recommended fixes.

    In the component path search box, enter log4j to filter the results. You can view related vulnerability records, such as CVE-2017-5645 (Critical, Score: 9.80) and CVE-2020-9488 (Low, Score: 3.70), both of which involve the log4j-api-2.6.1.jar component.

  • In the ARMS console left-side navigation pane, choose Application Security > Risky Component Detection, and then click the Full Component Auto-check tab.

    On the Full Component Auto-check tab, you can check which onboarded applications contain the Log4j component and identify their versions.

    In the search results, focus on the component name and component version columns. For example, a component may be listed with the name log4j-core and the version 2.6.1.

You can also configure an alert rule to receive attack alerts through channels such as SMS, DingTalk, or email. To create an alert rule, see Use Application Security alert rules.

By default, the protection mode for Application Security is set to Monitor. We recommend monitoring your application for a period before changing the protection mode to Monitor and Block. This ensures that any attacks are blocked immediately to protect your application. To change the protection mode, see Set the protection mode.