Close
Log in to Zabbix Blog
Email
Password
Show password Hide password
Forgot password?
Incorrect e-mail and/or password
or
By creating an account or logging in with an existing account, you agree to our Terms of Service
Handy TipsTechnicalHow ToIntegrationsConferencesCommunityNewsSocialInterviewCase Study

Zabbix NOT AFFECTED by the Log4j exploit

fake_first_name_45359 fake_last_name_45359
fake_first_name_45359 fake_last_name_45359
Zabbix Certified Expert & Trainer
News Technical
December 13, 2021
A newly revealed vulnerability impacting Apache Log4j 2 versions 2.0 to 2.14.1 was disclosed on GitHub on 9 December 2021 and registered as CVE-2021-44228 with the highest severity rating. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. By utilizing this vulnerability, a remote attacker could take control of […]

A newly revealed vulnerability impacting Apache Log4j 2 versions 2.0 to 2.14.1 was disclosed on GitHub on 9 December 2021 and registered as CVE-2021-44228 with the highest severity rating. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. By utilizing this vulnerability, a remote attacker could take control of the affected system.

Zabbix is aware of this vulnerability, has completed verification, and can conclude that the only product where we use Java is Zabbix Java Gateway, which does not utilize the log4j library, thereby is not impacted by this vulnerability.

For customers, who use the log4j library with other Java applications, here are some proactive measures, which they can take to reduce the risk posed by CVE-2021-44228:

  • Upgrade to Apache log4j-2.1.50.rc2, as all prior 2.x versions are vulnerable.
  • For Log4j version 2.10.0 or later, block JNDI from making requests to untrusted servers by setting the configuration value log4j2.formatMsgNoLookups to “TRUE” to prevent LDAP and other queries.
  • Default both com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to “FALSE” to prevent Remote Code Execution attacks in Java 8u121.
Tags:
cve-2021-44228log4jsecurity
fake_first_name_45359 fake_last_name_45359
fake_first_name_45359 fake_last_name_45359
Zabbix Certified Expert & Trainer
Prev Post Prev Post Next Post Next Post
Subscribe
Notify of
5 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
author_85248
author_85248
4 years ago

This is a placeholder comment.

0
author_85249
author_85249
4 years ago

This is a placeholder comment.

0
author_85253
author_85253
4 years ago

This is a placeholder comment.

0
author_85264
author_85264
4 years ago
Reply to  author_85253

This is a placeholder comment.

0
author_85259
author_85259
4 years ago

This is a placeholder comment.

0

Related articles

Change is the Only Constant: 2024 in Review
Change is the Only Constant: 2024 in Review
File Integrity Monitoring with Zabbix
File Integrity Monitoring with Zabbix
See what’s possible in Zabbix 7.2!
See what’s possible in Zabbix 7.2!
NetBox as Home CMDB and Integrated with Zabbix
NetBox as Home CMDB and Integrated with Zabbix
An Introduction to Browser Monitoring
An Introduction to Browser Monitoring
5
0
Would love your thoughts, please comment.x
()
x