If this forum uses the apache Log4J logging tool it's vulnerable to the new Log4Shell critical zero-day vulnerability.
https://nvd.nist.gov/vuln/detail/CVE-2021-44228Any system using it needs upgrading, or the mitigation applying.
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/All an attacker has to do is get the affected app to log a special string. For that reason, researchers have dubbed the vulnerability “Log4Shell”.
Log4j is an open source logging library written in Java that was developed by the Apache Software Foundation.
The vulnerability is triggered by a simple string sent to a vulnerable server:
[example string blocked by cloudflare]
When the vulnerable application logs the string it triggers a lookup to an attacker-controlled remote LDAP server (example.com in our scenario). The response from the malicious server contains a path to a remote Java class file that’s injected into the server process. Attackers can execute commands with the same level of privilege as the application that uses the logging library.
Mitigation
Mitigations are available for versions of log4j 2.10.0 and up. Version 2.15.0 is not vulnerable by default. Note that there may be other dependencies, such as your Java version, that need to be updated before you can upgrade. Fixing the vulnerability may not be straightforward, but it is urgent.
According to the Apache log4j project, if you are unable to upgrade, for whatever reason, you can mitigate this vulnerability in version 2.10.0 or higher by switching log4j2.formatMsgNoLookups to true. This can be done by adding ‐Dlog4j2.formatMsgNoLookups=True to the JVM command for starting the application.
