How to Block Log4j2 RCE Attacks in Four Simple Steps with Alibaba Cloud ARMS

Vulnerability Overview

Apache Log4j2 remote code execution (RCE) vulnerability (CNVD‑2021‑95914) exploits the default‑enabled Lookup feature, which allows unrestricted JNDI lookups. An attacker can inject a malicious JNDI reference, causing Log4j2 to load and execute arbitrary classes, leading to full system compromise.

All Log4j2 versions up to 2.14.1 are vulnerable. The vulnerability affects many popular projects that embed Log4j2, such as spring‑boot‑starter‑log4j2, Apache Struts2, Solr, Flink, Druid, Elasticsearch, Flume, Dubbo, Redis, Logstash, Kafka, etc., impacting tens of thousands of open‑source projects and a large proportion of enterprise services.

Why Runtime Application Self‑Protection (RASP) Can Mitigate

RASP instruments the application at runtime and blocks dangerous operations such as JNDI‑based class loading, arbitrary file reads, or command execution. Because it monitors behavior relative to the application’s normal baseline, it can detect and stop Log4j2 exploitation without requiring custom signatures.

Four‑Step Mitigation Using Alibaba Cloud ARMS (RASP)

Log in to the ARMS console.

Navigate to Application → Attack Statistics to view detected Log4j2 exploit attempts and configure alert channels (e.g., SMS, DingTalk, email).

After an observation period, switch the protection mode to “monitor and block” so confirmed malicious actions are automatically blocked.

Open Application Security → Dangerous Component Detection to scan deployed services for log4j‑core JARs, view their versions, and obtain remediation suggestions.

Remediation and Upgrade Recommendations

Identify any application that includes log4j‑core JARs with versions ≤ 2.14.1 and upgrade to the latest release, e.g., Log4j 2.15.0‑rc2. Release URL: https://github.com/apache/Logging-Log4j2/releases/tag/Log4j-2.15.0-rc2

Upgrade dependent frameworks such as spring‑boot‑starter‑log4j2, Apache Struts2, Solr, Flink, Druid, Elasticsearch, etc., to versions that use the patched Log4j2.

Upgrade the JDK to at least 6u211, 7u201, 8u191, or 11.0.1, which mitigates JNDI exploitation.

Close unnecessary external ports, enforce strict certificate validation, and reduce the external attack surface.

Deploy a Web Application Firewall (WAF) in conjunction with RASP for layered runtime protection.

Maintain an internal, vetted open‑source component repository and apply security patches promptly.

Implement network segmentation and enhance threat detection across the environment.