CVE-2021-44228 and CVE-2021-45046: Apache Log4j Vulnerability

Issue

A serious remote code execution (RCE) and denial of service (DOS) vulnerabilities in Apache Log4j could affect customers running some OpenNMS products. These vulnerabilities could allow an attacker to shut down or compromise your system by causing OpenNMS to log specially crafted messages into system log files for malicious purposes. Apache Log4j could interpret one of those messages to download, run, or install malicious software.

To mitigate this risk, consult the following table to install the latest OpenNMS software upgrades or work-around.

For more information about the Log4j vulnerability, see the Apache Log4j security notice for CVE-2021-44228 and CVE-2021-45046 at Log4j – Apache Log4j Security Vulnerabilities.

Remediation

Remediation options were listed here in a previous version of this post but have since been moved to this OpenNMS Blog Post to prevent duplication.

Detection

Find out how to verify that the mitigations you put in place are protecting you from CVE-2021-44228 and CVE-2021-45046 in this Discourse article.

1 Like