Find and Fix Log4j
In December 2021, a zero-day Remote Code Execution exploit was discovered in the component, log4j-core, the most popular Java logging framework. The log4j-core vulnerability (CVE-2021-44228, a.k.a. Log4Shell) affects a massive number of applications and businesses. Essentially any application that contains a vulnerable version of log4j-core is exploitable.
It has been determined that the fix for CVE-2021-44228 committed in v2.15 was insufficient in limiting nested message lookups in log4j. This resulted in CVE-2021-45046—a Security High vulnerability on v2.15. In addition, a Denial-of-Service (DoS) vulnerability (CVE-2021-45105) has been discovered in v2.16.
It is recommended that all users upgrade to version 2.17.1 .
Select the Nexus solution you wish to use
Nexus Lifecycle (identify and fix the log4j-core vulnerability across applications)
Nexus Firewall (identify if log4j-core exists in your repository and prevent future downloads of vulnerable versions of log4j-core)
Nexus Repository (identify if log4j-core exists in your repository)
Nexus Lifecycle
The following information helps Nexus Lifecycle users find and fix log4j-core vulnerabilities. In addition, we've created a short video that walks you through this topic:
How do I know if my applications are affected by the log4shell vulnerability (CVE-2021-44228)?
log4j-core is in my application. How do I fix it?
How do I protect my applications going forward?
Nexus Firewall
The following information helps Nexus Firewall users identify if log4j-core exists in your repository and prevent future downloads of vulnerable versions of log4j-core.
Nexus Repository
The following information helps Nexus Repository users identify if log4j-core exists in your repository.
Additional Resources
- For a product-specific breakdown of log4j-core in Sonatype products, see Sonatype Product Log4j Vulnerability Status
- Sonatype resource: Log4j Vulnerability Resource Center
- Sonatype blog: FTC Warning in Wake of Log4j: Secure Your Software Supply Chain
- Sonatype blog: How Large Organizations Can Easily Scan for Log4j Vulnerabilities
- Sonatype blog: Critical New 0-day Vulnerability in Popular Log4j Library Discovered with Evidence of Mass Scanning for Affected Applications - Latest updates
- Sonatype blog: Log4shell by the numbers- Why did CVE-2021-44228 set the Internet on Fire?
- Sign up for Sontype’s log4j exploit explained webinar
- For more information, please see Apache Log4j Security Vulnerabilities
- For further assistance, please contact your Customer Success representative or log a support ticket.