Log4j Vulnerability FAQ
In late 2021, security researchers announced a major vulnerability in Log4j, a widely used open source logging utility. The vulnerability, which has come to be known as Log4Shell, enables arbitrary code execution on systems that use Log4j. Experts have described the Log4j compromise as the worst software security vulnerability in decades.
The Log4j vulnerability is a flaw in a software utility called Log4j. When exploited, the vulnerability enables remote attackers to execute code on systems that use vulnerable versions of Log4j.
This means that attackers can effectively take control of applications – and, by extension, the servers that host them – from a remote location.
Log4j itself is a logging utility, which means it’s a tool that helps applications generate and organize log data. Log4j is designed in particular for Java applications. It is open source and free for anyone to use.
Java is among the world’s most popular programming languages, and Log4j was first released in 2001. Combined with Log4j’s open source nature, these facts mean that Log4j has been widely deployed in production applications. While there are no official statistics regarding total Log4j installations in the world, most researchers estimate that they number in the millions.
There is nothing inherently dangerous about Log4j itself; as long as you’re using a secure version of the tool, you can continue to do so without worry.
Only certain versions of Log4j are affected by the vulnerability. They are Log4j releases 2.0-alpha7 to 2.17.0, with the exception of versions 2.3.2 and 2.12.4.
While all of these versions are vulnerable, the severity of the vulnerability varies within this range of versions. See our Log4j “cheat sheet” for more information.
1.x versions Log4j are not impacted.
As long as the version of Log4j that runs in your software environment is not among the versions impacted, you are safe from the Log4j vulnerability.
You are also safe if you upgrade your Log4j installation to a new version. The specific version to use depends on which version of Java is running on your system. To upgrade to a secure version of Log4j, you’ll need to upgrade to versions:
- 2.3.2 (for systems running Java 6)
- 2.12.4 (for Java 7)
- 2.17.1 (for Java 8 and later)
Once you’ve upgraded Log4j to a secure version, attackers can no longer exploit the vulnerability on your system.
As noted above, Log4j versions 2.0-alpha7 to 2.17.0 are vulnerable to Log4Shell. The exception within that range is versions 2.3.2 and 2.12.4, which are not vulnerable.
All other Log4j releases – meaning any versions released prior to 2.0-alpha7 or later than 2.17.0 – are not vulnerable.
To exploit the Log4j vulnerability, attackers insert malicious strings into HTTP request URLs, then send those requests to applications that run vulnerable versions of Log4j. Log4j will then execute code in those strings.
Effectively, this means that attackers can run commands of their choosing on vulnerable systems by inserting them into HTTP requests.
The simplest and most effective way to remediate the Log4j vulnerability is to upgrade to a secure version of Log4j. As noted above, those versions are:
- 2.3.2 (for systems running Java 6)
- 2.12.4 (for Java 7)
- 2.17.1 (for Java 8 and later)
You can also mitigate the vulnerability by blocking requests to Log4j that include strings associated with exploitation of the vulnerability. A common string in this regard is ${jndi. Upgrading your Java Runtime Environment (JRE) may also mitigate the vulnerability because the latest JREs disable the loading of remote code.
Again, however, the best way to remediate the vulnerability permanently is to upgrade to a newer version of Log4j. Other mitigations are best used as temporary fixes until you can upgrade.
No. Shortly after Log4Shell was announced, JFrog confirmed that neither Artifactory, nor any other JFrog products, were affected by the Log4j vulnerability.
Systems running Artifactory may be affected if they also host other applications that use vulnerable versions of Log4j, but Artifactory itself will not make your system vulnerable.