Apache Log4j socket receiver deserialization vulnerability
Description
Apache Log4j is a widely-used Java logging framework. Versions 2.0-alpha1 through 2.8.1 contain a critical deserialization vulnerability when configured to receive log events over network sockets using the TCP or UDP socket server components. When Log4j deserializes untrusted data from these network sources, an attacker can send a maliciously crafted serialized object that executes arbitrary code upon deserialization. This vulnerability affects applications that have explicitly enabled the socket server functionality to receive remote log events.
Remediation
Immediately upgrade Apache Log4j to version 2.8.2 or later, which addresses this deserialization vulnerability. Follow these steps:
1. Identify affected systems: Locate all applications using Log4j versions 2.0-alpha1 through 2.8.1 with socket server functionality enabled
2. Update dependencies: Update the Log4j dependency in your project configuration (pom.xml, build.gradle, or equivalent) to version 2.8.2 or higher
3. Rebuild and redeploy: Recompile your application with the updated library and deploy to all affected environments
4. Verify configuration: Review Log4j configurations to ensure socket servers are only enabled when absolutely necessary and are not exposed to untrusted networks
5. Network controls: If socket servers must remain enabled, implement firewall rules to restrict access to trusted sources only
If immediate upgrading is not possible, disable the socket server functionality or isolate affected systems from untrusted network access as a temporary mitigation.