Log4j RCE

Overview

This article addresses the recent Log4j RCE.

Refer to the following links for more information:

• https://logging.apache.org/log4j/2.x/security.html
• https://usa.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/25936/
• https://stackoverflow.com/questions/70315727/where-to-put-formatmsgnolookups-in-log4j-xml-config-file

Log4j and SFTP Gateway Classic

The log4j issue does not apply to SFTP Gateway version 1.x. This is because v1 does not use Java (and log4j is a Java library).

Sometimes, operating systems can have the log4j yum package installed (but this should not be the case for Amazon Linux 1).

To verify this, SSH into the EC2 instance, and run the command:

sudo su
yum list installed log4j*

You should get output that indicates that there are no packages named log4j installed on the OS.