29 December 2021

Apache releases Log4j security update to fix yet another vulnerability


Apache releases Log4j security update to fix yet another vulnerability

The Apache Software Foundation (ASF) has released a security update for its Log4j logging utility to address a newly discovered RCE flaw. The latest update marks the fifth security issue discovered in the software over the past month.

Tracked as CVE-2021-44832, the bug exists due to improper input validation and allows a remote user with permission to modify the logging configuration file construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2,” Apache said.

According to Checkmarx security researcher Yaniv Nizry who discovered the issue, the complexity of CVE-2021-44832 is higher than the original CVE-2021-44228 because it requires the attacker to have control over the configuration.

“Unlike Logback, in Log4j there is a feature to load a remote configuration file or to configure the logger through the code, so an arbitrary code execution could be achieved with [an] MitM attack, user input ending up in a vulnerable configuration variable, or modifying the config file,” Nizry explained.

Since the disclosure of Log4Shell (CVE-2021-44228), multiple threat actors were quick to incorporate the flaw into their attacks. Furthermore, among hacker groups that have been observed exploiting the vulnerability security researchers have seen malicious actors believed to be working on behalf of the Chinese government. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a scanner for identifying vulnerable web servers affected by the recently disclosed Apache Log4j remote code execution vulnerabilities (CVE-2021-44228 and CVE-2021-45046).

Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021