Apache Log4J Vulnerabilities
Genus is aware of the recently disclosed Apache Log4j2 vulnerability (CVE-2021-44228) and the impact this may have on your organization as a widely used open-source Java logging utility. While we are currently working with a number of customers on this issue, we wanted to proactively post information for all of our customers for their review.
The Apache Log4j2 vulnerability allows attackers to execute arbitrary code when message lookup substitution is enabled in Log4j. Almost all versions of Log4j2 are susceptible, including 2.0-beta9 through 2.15. Log4j version 2.15.0 was initially released and turned message lookup substitution off by default. A new, lower-priority vulnerability, CVE-2021-45046, was subsequently identified in Log4j version 2.15.0 and 2.16.0 was released to address this issue by disabling message lookup substitution entirely.
A quick way to assess if you are impacted by this CVE is to search the file systems of your servers for “log4j-core-2.*.jar”. If you’re impacted by this CVE, remediation options include:
1. Upgrade to a patched version of the software that includes Log4j 2.16.0 or higher
2. If the application is using Log4j 2.10 or higher, add the following JVM argument to disable message lookup substitution:
3. Replace the log4j-core-2.x.jar with the new logj4-core-2.16.0.jar (or higher when available). You may need to update references to this .jar in manifest.mf and other files.
4. Remove the JndiLookup class from the jar file manually:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
We will continue to update this post with any significant updates as the investigation continues.
If you are a current Genus Technologies customer and are unsure whether your environment is impacted or have any questions on how to mitigate and address any affected environments, please reach out to the Genus Support Team at email@example.com. If you are not a Genus customer and would like to discuss assistance with remediating this issue with the Genus Services Team, please contact firstname.lastname@example.org
Below is a list of Genus software products, including those we represent, that are affected by this vulnerability.