The Log4j default appender, the ConsoleAppender, has a security vulnerability which can be exploited to execute arbitrary code on the server. The issue is due to the lack of input sanitization by default. This could result in a remote attacker sending an email which, when viewed with the ConsoleAppender, could execute arbitrary code on the server. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Description of Apache Log4j 2

Log4j 2 is a logging library for Java. It is designed with performance in mind and offers many features that are not available in the previous versions of Log4j.

Apache Log4j 1.2 – A weakness in the default appender

The default appender in Apache Log4j is the ConsoleAppender. Apache Log4j 1.2 reached end of life in August 2015 and users should upgrade to Log4j 2 as it addresses numerous other issues from previous versions. One of the security vulnerabilities in this release was a weakness in the default appender that can be exploited by a remote attacker to execute arbitrary code on the server. This issue was due to the lack of input sanitization by default which could result in an email that when viewed with this appender, could execute arbitrary code on the server.

Apache Log4j 1.2

Security Vulnerability
The Log4j 1.2 security vulnerability affects the Apache log4j application. The issue is due to the lack of input sanitization by default. This could result in a remote attacker sending an email which, when viewed with the ConsoleAppender, could execute arbitrary code on the server. If you are still using Apache Log4j 1.2, you should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions and is supported by Apache Software Foundation for another 3 years.

Timeline

Published on: 01/18/2022 16:15:00 UTC
Last modified on: 07/25/2022 18:21:00 UTC

References