Apache releases Log4j patch to address new RCE vulnerability
The Apache Software Foundation has released a new patch for Log4j, the Java-based logging utility that has seen vulnerabilities targeted en masse by hackers since Dec. 13.
Log4j 2.17.1, the fifth update this month, addresses a new remote code execution vulnerability found in 2.17.0. CVE-2021-44832 allows an attacker with permission to modify the logging configuration file to construct a malicious configuration that allows for remote code execution. The vulnerability affects all versions of Log4j from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4.
The new vulnerability has been fixed by limiting JDNI data source names to the Java protocol in Log4j version 2.17.1 along with patches for earlier releases, 2.12.4 for Java 8 and 2.3.2 for Java 6.
The vulnerability has a Common Vulnerability Scoring System score of 6.6. As researchers at Snyk Ltd. noted today, it’s not as bad as it sounds, although they added that those running Log4j should apply the new patches.
“The Log4j CVE being released today requires a fairly obscure set of conditions to trigger,” Casey Ellis, founder and chief technology officer at crowdsourced security company Bugcrowd Inc., told SiliconANGLE. “So, while it’s important for people to keep an eye out for newly released CVEs for situational awareness, this CVE doesn’t appear to increase the already elevated risk of compromise via Log4j.”
Ellis explained that the vulnerability appears to have been discovered through the use of static code analysis tools in conjunction with manual review/exploit development. “As a logging library, Log4j is inherently flexible in terms of how data can be passed to it — each of these points of interaction is a potential vector for exploitation,” Ellis noted. “Many eyes are currently scouring Log4j, so it’s fairly safe to expect more of this type of vulnerability announcement over the coming weeks. In the interest of staying as up-to-date as possible with Log4j — especially if the configurations required for exploiting CVE-2021-44832 — patching to 2.17.1 is a good idea.”
Image: Apache
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU