Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack. Log4J 2.17.0 fixes CVE-2021-45105.
About Log4J Vulnerability:
Log4j is a ubiquitous logging tool included in almost every Java application, meaning this vulnerability affects literally millions of servers. The Log4J library vulnerability (CVE-2021-44228) allows an attacker to cause the target system to fetch and execute code from a remote location controlled by the attacker. The second stage, what the downloaded malicious code does next, is fully up to the attacker. This library is used by many software vendors and service providers globally as a standardized way of handling log messages within the software.
Here’s a step-by-step guide Log4J Remediations & Recommendations.
Veeam is not affected by Log4J vulnerability: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post.
