# πŸ’‘ Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Resources 

This repository is designed to be a collection of resources to learn about, detect and mitigate the impact of the Log4j vulnerability - more formally known as [CVE-2021-44228](

Below you can find a set of links to resources organized by topic area.  If you want to add resources, you can [fork]( this repository on and create a merge request. [This repository on GitLab]( is mirrored to [GitHub]( 

#### Table of content

* [About the vulnerability](#-about-the-vulnerability)
  * [Software updates](#-software-updates)
  * [CVE information](#-cve-information)
  * [Security advisories](#-security-advisories)
  * [Other](#-other)
* [Detecting the vulnerability](#-detecting-the-vulnerability)
  * [Security Vendors](#-security-vendors)
  * [Guides](#%EF%B8%8F-guides)
  * [Community tools and articles](#-community-tools-and-articles)
* [Mitigating the vulnerability](#%EF%B8%8F-mitigating-the-vulnerability)

## ❔ About the vulnerability

Apache Log4j, versions 2.0-2.14.1 have a vulnerability to remote code execution (RCE). It is remotely exploitable without authentication, i.e., attackers may exploit it over a network without the need for a username and password.

New vulnverabilities have been discovered and fixed, see _Software updates_ below for the timeline.

### πŸ“¦ Software updates

Upgrade log4j to the latest release to fix the vulnerabilities.

- [log4j 2.17.0]( fixes [CVE-2021-45105](, where log4j does not always protect from infinite recursion, leading to DoS attacks.
- [log4j 2.16.0]( removes support for message lookups, and disables JNDI by default. Fixes [CVE-2021-45046]( with raised critical severity, RCE possibility. 
- [log4j 2.15.0]( fixes the vulnerability in [CVE-2021-44228]( but left JNDI lookups enabled by default.

### πŸ“„ CVE Information

- [CVE-2021-45105]( from NIST
- [CVE-2021-45105]( from MITRE
- [CVE-2021-45046]( from MITRE
- [CVE-2021-45046]( from Red Hat
- [CVE-2021-44228]( from MITRE
- [CVE-2021-44228]( from Oracle

### πŸ’¬ Security Advisories

- [This GitHub gist]( contains an extensive list of the various security advisories from cloud, software, and SaaS companies about CVE-2021-44228.
- [CISA Log4j (CVE-2021-44228) Vulnerability Guidance](
- [Updates and actions to address Log4j CVE 2021 44228 and CVE 2021 45046 in GitLab](
- [Jenkins](

### πŸ“– Other

- [Software related to or impacted by the Log4j vulnerability](
- [List of impact on manufacturers and components summary from the Internet community](
- [Awesome Log4Shell](
- [β€˜The Internet Is on Fire’]( by Wired

## πŸ”₯ Detecting the vulnerability

### πŸš’ Security Vendors

- [Checkmarx](
- [Contrast Security](
- [Docker](
- [Elastic](
- [GitLab](
- [Synk](
- [WhiteSource](
- [Veracode](

### πŸ—οΈ Guides

- [Container Scanning](

### πŸ“ˆ Community tools and articles

Community projects and discussions; they have not been tested. Be advised to evaluate and asses their usability on your own. 

- [GitLab search tools forum topic](
- [Mitigate Log4j2 / Log4Shell in Elasticsearch]( by Philipp Krenn

## πŸ›‘οΈ Mitigating the vulnerability

The best way to mitigate the vulnerability is to update any application using Log4j to the latest version (see _Software Updates_ section above).  However, there have been many other discussions of how to mitigate the vulnerability short of that.

- Disable message lookups.  These are availabe in Log4j 2.10 - 2.14.1 and requires restarting the process.
  - Adding `-Dlog4j2.formatMsgNoLookups=true` to processes running Log4j 2.10 - 2.14.1.  
  - Setting an environmental variable `LOG4J_FORMAT_MSG_NO_LOOKUPS=true`
- For versions 2.0-beta9 to 2.10.0, you could remove the JndiLookup class by running the code below and restarting the process
  - `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`
- Without restarting the process, you could apply this [hot patch]( which injects a Java agent into running processes to patch the issue.