cythera-logo-darkmode
Are you experiencing a security incident?
Incident Response
Assess & Improve
Detect & Respond
Protect & Secure
Advise & Empower
Resources
Case Studies
Real-world examples
Articles
In-depth insights
Advisories
Newly discovered threats
About us
Leadership Team
Meet the experts
Events
Join upcoming events
Award & Certifications
Industry recognitions
Vendor Partners
Trusted vendors
Talk to an expert
Service Category
Services
Popular Services
Employee Cyber Training & Awareness
Train smart and stay secure
Advisory
Secure smarter with strategic security advisory
Managed Protection
Always-on protection. Smarter security
Security Architecture
Security that drives real results, cloud to full stack
Digital Forensics & Incident Response
DFIR experts, ready when you need them.
Cyber Threat Intelligence
Real time insights from Cassini CTI
Managed Detection & Response
Our experts watch, so you don’t have to.
Certification & Accreditation
Get certified with ease
Audit & Assurance
Audits you trust. Assurance that drives action.
Governance, Risk & Compliance
Simplfy compliance, strengthen protection
Cyber Maturity Assessments
Level up your cyber security game
Penetration Testing
Penetration testing that spots weaknesses
Case Studies
    
Articles
    
Advisories
    
Web Filter, CASB & DLP (Cloud Access Security Broker & Data Loss Prevention)
Web Application Penetration Testing
Vulnerability Management
Vulnerability Assessment
vITSM
Virtual Security Architect (vSecArch)
vCISO
System Security Plan
System Architecture, Design & Implementation
Strategic Security Consulting
SWIFT CSCF
Specialist Testing
Source Code Review
Social Engineering & Phishing
Security Policy and Standard Development
Security Incident Response Testing
Security Awareness Training
Secure Access Service Edge (SASE)
Risk Management
Risk Assessment
Red Teaming
Purple Teaming
NIST CSF Maturity Uplift
Payment Card Industry (PCI)
OT/SCADA Network Penetration Test
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response Tabletop Exercise
Incident Response
Forensics
External Penetration Testing
Executive & Board Reporting
Executive and Board Security Governance Training
Essential Eight Assessment
Endpoint Protection
Email Security
DevSecOps Review & Implementation
Denial of Service (DoS) Testing
Design Reviews
Dark Web Monitoring
Controls Validation Audit
Continuous Certification
Compliance Programme Management
Configuration Reviews
Cloud Security Configuration
Cloud Posture & Security
CIS Critical Controls Assessment
Automated Patch Management
CI/CD Health Check
Artificial Intelligence (AI) Penetration Test
All of Government Marketplace
Advanced OSINT Training Course
Application Penetration Tests
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
External Penetration Testing
Essential Eight Assessment
Denial of Service (DoS) Testing
Dark Web Monitoring
cythera-logo-darkmode
Advise & Empower
Explore Solutions
Protect & Secure
Explore Solutions
Detect & Respond
Explore Solutions
Assess & Improve
Explore Solutions
Resources
Articles
Advisories
About Us
Explore Bastion
Leadership Team
Events
Award & Certifications
Our Community
Vendor Partners
Employee Cyber Training & Awareness
Advisory
Managed Protection
Security Architecture
Digital Forensics & Incident Response
Cyber Threat Intelligence
Managed Detection & Response
Certification & Accreditation
Audit & Assurance
Governance, Risk & Compliance
Cyber Maturity Assessments
Penetration Testing
Popular Services
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response
Talk to an expert
Resources
About Us
Articles
>
The Perfect 10 - Remote Code Execution in Apache Log4j Requiring Emergency Patching
Cythera Cyber Security

The Perfect 10 - Remote Code Execution in Apache Log4j Requiring Emergency Patching

A few nights ago, Alibaba’s Security team found a zero-day remote code execution vulnerability within Apache’s Log4j. Log4j is so ubiquitous even Apple and Amazon use it with their software stack.
Talk to an expert

CVE: CVE-2021-44228

CVSS Score: 10 (Critical)


What Is Vulnerable?

Apache Log4j Version 2.15-rc1 or prior. (All version prior to 2.15-rc1 are vulnerable)

UPDATE 15/12: Latest 2.16 Patch fully disables JNDI and removes support for Message Lookups – https://logging.apache.org/log4j/2.x/download.html

What’s Happening?

A few nights ago, Alibaba’s Security team found a zero-day remote code execution vulnerability within Apache’s Log4j. Log4j is so ubiquitous even Apple and Amazon use it with their software stack. New Zealand’s CERT team warned journalists that they have seen this vulnerability exploited in the wild and there are proof of concepts available to threat actors. Log4J earned the infamous CVSS score of 10 from the National Vulnerability Database.

A favourite amongst Java developers, Log4j is an easy way to log for error checking within any environment it can be deployed in. Log4j has an extra couple of steps before logs get written to disk. It analyses incoming logs and checks for a $ character. If this $ is found, the logger knows to go in and change information. There is one pattern that is vulnerable to remote code execution. $(jndl:ldap This will perform a lookup to the LDAP server and deploy the malicious code found.

What You Can Do

  • Apply a network wide block to incoming and outgoing connections to LDAP and RMI ports. a. Where possible, we also recommend blocking outgoing traffic from servers.
  • Assess what business critical applications may be vulnerable and apply emergency patching where available. It is important to note that since it’s still early days, this list is expected to grow. Keep an eye out for security advisories from vendors.
  • If Apache Log4j 2.10 to 2.14 is deployed in your environment, the following system property can be applied:  Log4j2.formatMsgNoLookups=true
  • If Log4j 2.10 or earlier is deployed in your environment, jdnilookup can be removed: a. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Rapid7 have deployed new detection rules in InsightIDR to identify Log4j vulnerability potentially occurring:

  • Attacker Technique – Curl or Wget To Public IP Address With Non Standard Port
  • Attacker Technique – Curl Or WGet To External IP Reporting Server IP In URL
  • Suspicious Process – Curl or WGet Pipes Output to Shell
  • Suspicious Process – Curl to External IP Address

Cythera continues to monitor all managed clients and detection capabilities we have in place will likely detect any post-exploitation activities related to this vulnerability

Events

Latest events

Join Cythera experts for networking events, technical briefings, and hands-on workshops hosted throughout the year.
View all events
No items found.
Cyber security news

Latest advisories

Stay ahead of emerging threats with our expert blog posts, research, and industry updates.
Silverstripe - Host Header Injection
Silverstripe CMS is affected by a Host Header Injection flaw, which can be exploited to manipulate password reset workflows, potentially redirecting or compromising user data.
FarCry Core Framework - Multiple Issues
FarCry Core contains multiple vulnerabilities that could let unauthenticated users upload arbitrary files and execute remote code on the hosting server.
Silverstripe – Cross-Site Scripting (XSS) Vulnerability
With local organisation admin credentials, an attacker can exploit the API to create, delete, or revert virtual machine snapshots in other organisations’ Virtual Data Centres (VDCs), breaching isolation boundaries.
Advise & Empower
Protect & Secure
Detect & Respond
Assess & Improve
Back to top
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Dark
Resources
Case StudiesArticlesAdvisoriesOur ISO 27001 Certificate
About UsLeadership TeamEventsAwards & CertificationsOur CommunityVendor Partnership
Are you experiencing a security breach?
Incident Response
1300 298 437
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
© Copyright 2025. All rights reserved