On December 9, 2021, security professionals publicly announced a zero-day vulnerability in Log4j, a logging tool offered by the Apache Foundation. The vulnerability exists in versions prior to 2.15.0 and is documented in CVE-2021-44228 with the highest CVSS score (10.0).
If exploited, the attacker can remotely execute code on servers running a vulnerable version of Log4j. A successful attack may allow attackers to redirect incoming JNDI lookups to a remote codebase forcing the vulnerable server to execute the potentially malicious code.
Immediately following the announcement, Arca security and engineering teams began evaluating all Arca products and internal services for any potential impact. Arca has identified no components in the scope of the vulnerability.
Actions to Consider
If you’re a technical company with exposure to the vulnerability, patch Log4j instances to version 2.16 as soon as possible. This version is available for download on Apache’s website.
If unable to patch vulnerable components, we recommend one of the following mitigations:
- Set the system property “log4j2.formatMsgNoLookups” to “true”
- Remove JndiLookup class from the classpath
For more information
Visit CISA’s dedicated Log4j Vulnerability Guidance page at Apache Log4j Vulnerability Guidance | CISA.
Arca is a global leader in cash automation technologies with a reputation for delivering reliable products with the shortest lead times in the industry and a commitment to excellence in service and support for the life of our products. Financial institutions, retailers, and OEM self-service and kiosk manufacturers all over the world rely on Arca products to streamline their cash operations and save them time and money while increasing the efficiency and security of cash. Visit arca.com for more information.