start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
Select Page

News broke out on Thursday, December 9th as Log4j, the most utilized open-source logging system in the world, displayed clear evidence of a critical vulnerability affecting large companies all over the world, including Apple, Amazon, Cloudflare, Steam, Tesla, Twitter, and Baidu.

According to Microsoft Security Response Team, the Apache Log4j 0-day vulnerability allows unauthenticated remote code execution and is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. Attacks have already taken place less than a day after its reporting, and Netlab, the networking security division of Chinese tech giant Qihoo 360, disclosed that Attackers like Mirai and Muhstik (aka Tsunami) are still actively looking for vulnerable servers to exploit.

Currently, this vulnerability, also known as CVE-2021-44228 currently holds a risk matrix base score of 10, the highest risk possible according to Oracle advisory, and has been labeled by GitHub advisory as a critical severity level.



Have I been affected?

To determine if your application has been affected by this vulnerability:

  • Determine your current Log4j version and update. All versions prior to 2.16.0 have been affected. This is recommended as it was found that, Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This vulnerability called, “CVE-2021-45046” made the previous version susceptible to attacks. As such, Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.


  • Determine your current Java version and update. All versions lower than the ones below are vulnerable:
    • Java 6 – 6u212
    • Java 7 – 7u202
    • Java 8 – 8u192
    • Java 11 – 11.0.2

If the application has both Java & Log4j issues, then according to Certnz advisory it is certainly been affected. However, you can still check your domain vulnerability by using open-source testing tools, like GitHub – log4shell-tester.


Log4j Solution?

 Download Log4j version 2.16.0 (If you are unable to upgrade, follow the steps below):

  • Behavior can be mitigated by either setting system property formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
  • If using version >=2.0-beta9and <=2.10.0, remove log4j’s JndiLookup class from Java’s classpath as under: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class



How AppScan can help

HCL AppScan can help developers scan for log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046 with its Open-Source analysis (OSA) or Dynamic Application Security Testing (DAST) capabilities in our cloud-based application security testing solution AppScan on Cloud.

Learn how to scan for vulnerability Log4j with HCL AppScan on Cloud’s OSA capability

Video image

Learn how to scan for vulnerability Log4j with HCL AppScan on Cloud’s DAST capability

Video image


What is AppScan on Cloud (ASoC)?

ASoC offers an unparalleled suite of comprehensive security testing tools available on the cloud, including SAST, DAST, IAST, and OSA. Enabling organizations to address vulnerability earlier in the Software Development Life Cycle (SDLC), reducing false positives, fixing code as it’s written and yielding advanced correlation to deliver more accurate results empowering organizations to deliver secure & compliant software faster and at scale.


For a free demonstration of AppScan’s OSA tool and our suite of security testing tools, including SAST, DAST, IAST for web, and open-source applications. Click here.

For additional information on Log4j vulnerability in HCL  AppScan’s deployment platforms, please see AppScan technote.

Comment wrap
Secure DevOps | December 20, 2023
Secure Application Code Against Vulnerabilities Faster with HCL AppScan Fix Groups
Stop in for an update on how HCL AppScan helps find vulnerabilities and security risks, starting with built in AI that dramatically reduces the number of scan findings and practically eliminates false positives.
Secure DevOps | December 5, 2023
HCLSoftware Named a Strong Performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023
HCLSoftware has been named a strong performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023 Report. Read the blog to know more.
Secure DevOps | October 25, 2023
OWASP DC Global AppSec 2023 - Exploring the Power of HCL AppScan
Join HCLSoftware as we unveil the power of AppScan at OWASP DC Global AppSec 2023. This exciting event will give you a glimpse into the very best of application security – come check us out!