Critical Vulnerability in the Java Logging Library Log4j

In December 2021, a vulnerability in the widely used Java logging library Log4j became known. This allows attackers to execute malicious code on affected systems.

Log4j is a logging library for Java applications that is used to log events during server operation.

Versions 2.0 to 2.14.1 are affected by this vulnerability. Older versions are not affected according to current knowledge, but should be updated to a non-vulnerable version.

We have already taken security measures to prevent exploitation of the vulnerability on our network. Many systems have already been checked and where necessary we have applied appropriate security updates.

Attention

If you purchased a Server package with root access that uses an affected version of log4j, you will need to update the affected applications and operating system manually because IONOS has no access to these systems. The same applies if you run your own Java installations on other systems. Please make sure that the update is done immediately as soon as security updates are made available by the manufacturers.

The Apache Software Foundation has already released version 2.16.0 of Log4j and also provides guidance on how to protect affected systems for the time being. However, please note that you will need to customise any applications that use Log4j.

For this reason, we recommend that you scan your servers for vulnerable instances of the Log4J library. You can use the following software for this purpose:

https://github.com/mergebase/log4j-detector


For more information, please see the information below:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

https://ubuntu.com/security/CVE-2021-44228

https://security-tracker.debian.org/tracker/CVE-2021-44228

https://www.suse.com/security/cve/CVE-2021-44228.html