17 January 2022
Security Note - LOG4J Vulnerability
Background:
Apache is a widely used open source web server that is maintained by the Apache Foundation. Log4J is a widely used open source application logging product that is maintained by the Apache Software Foundation
A critical security issue has been recently identified, Microsoft have provided a comprehensive security blogpost on the issue, and is regularly updating it as new information is made available here.
In summary, Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Specific Technical Detail: https://logging.apache.org/log4j/2.x/security.html
Apache released a patch at the end of December 2021.
Patch Details: https://logging.apache.org/log4j/2.x/
Recommended Action (Dated 5/1/22):
Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later)
Impact & Available Vendors Communications
Louder have listed the primary advertising & marketing technology vendors responses below (A-Z):
- Adform
- Adobe
- Amazon Web Services
- Facebook has yet to comment publicly on the issue
- Google (All Platforms)
- Google Marketing Platform
- Google Ads
- Google Cloud Platform
- OKTA
- Snowplow
About
Arthur Hascoet
Arthur Hascoet specialises in performance media strategies and automation opportunities. In his spare time he enjoys the great outdoors and discovering the unsealed tracks of the backcountry.