Mobile
Streaming Platform Products
Virtual & Dedicated Servers Products
Containers Products
Serverless Computing Products
AI & Machine Learning Products
Private and Hybrid Solutions Products
Monitoring Products
Custom Services Products
Media & Entertainment
Financial Services
IT / Technology
Retail
Education
Website Acceleration
Video Streaming
Security & Protection
Cloud
Partnership Solutions
Corporate Solutions

On December 9, 2021, a vulnerability was found in the Apache Log4j module with the highest hazard level—CVSS 10. It has been named Log4Shell. The vulnerability allows to remotely execute any code and enables attackers to gain almost complete control over the victim’s servers.
Considering how widespread this module is, millions of Java services are at risk.
But if you are connected to our application security, you have nothing to worry about. We have already taken all measures to protect our clients.
Log4Shell, or CVE-2021-44228, is a vulnerability related to the Remote Code Execution (RCE). It allows to remotely execute arbitrary code on a server without authentication.
All Java services and APIs that use the Log4j log are at risk. This log is extremely popular, so there may be millions of potential victims.
The main problem of the vulnerability is that it is quite easy to use—even an inexperienced hacker can successfully carry out an attack.
To gain access to a resource, an attacker only needs to send a special query. It allows a hacker to upload his own code to an application or API.
To protect your web resource against Log4shell vulnerability, simply turn on Basic WAF within our CDN product. It works as a built-in option and is available even on a free plan.
Log4shell vulnerability was added to the malware signature library during the latest product update.
We pass all traffic through the filtering system. Any suspicious queries, including those using the Log4Shell vulnerability, will be blocked on the way.
We will not allow intruders to run malicious code and will provide reliable protection for your websites and web applications.
First of all, update Apache Log4j to the latest version.
If for some reason there is no way to update, we recommend the following:
log4j2.formatMsgNoLookups
system property or the LOG4J_FORMAT_MSG_NO_LOOKUPS
environment variable to true
.%m{nolookups}
instead of just %m
.zip q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
.But the most reliable way to secure your resources is to enable Basic WAF.
We monitor the emergence of new vulnerabilities and update our algorithms as quickly as possible. You don’t need to worry about the safety of your resources or take emergency measures to protect them.