For immediate mitigation, download the matching log4j file below and replace the file on all your servers by executing the following cmdline: find /opt/ -type f -name log4j\*jar to identify the vulnerable file/version and replacing it with the latest version from here: /log4j-core
According to Apache, the vulnerability exists only in the LOG4J-CORE jar file. However, if you want to be safe & consistent you should upgrade the other log4j jar files to the latest version for all servers running java apps in your infrastructure. Here are the links to download those files:
log4j-1.2-api-2.XX cannot be replaced with version 2.x
Sources of Information that we are monitoring & following:
- Oracle Document 2827611.1for Oracle Database, Java & other products regaarding the applicability of
Security Alert CVE-2021-44228 to Oracle on-premises products is being continually updated by Oracle as to the products that require or do not require patches.
- Microsoft for Windows-based deployments
- OWASP.org for adding this CVE to the OWASP list and the to the F5 WAF Managed Rulesets.
- Wildfly does not deploy Log4j-core instead you’ll find a shaded version that is not the affected log4j-core in the path /opt/Wildfly-##.#.#.Final/modules/system/layers/base/org/jboss/log4j/logmanager/main. Trax recommends applying 2.17.1 to all application servers running Java 8.
- The cost of ignoring the Log4j vulnerability: https://www.cisecurity.org/insights/blog/The-Cost-of-Ignoring-the-Log4j-Vulnerability