The Apache Software Foundation (ASF) has released a security update for its Log4j logging utility to address a newly discovered RCE flaw. The latest update marks the fifth security issue discovered in the software over the past month.
Tracked as CVE-2021-44832, the bug exists due to improper input validation and allows a remote user with permission to modify the logging configuration file construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2,” Apache said.
According to Checkmarx security researcher Yaniv Nizry who discovered the issue, the complexity of CVE-2021-44832 is higher than the original CVE-2021-44228 because it requires the attacker to have control over the configuration.
“Unlike Logback, in Log4j there is a feature to load a remote configuration file or to configure the logger through the code, so an arbitrary code execution could be achieved with [an] MitM attack, user input ending up in a vulnerable configuration variable, or modifying the config file,” Nizry explained.
Since the disclosure of Log4Shell (CVE-2021-44228), multiple threat actors were quick to incorporate the flaw into their attacks. Furthermore, among hacker groups that have been observed exploiting the vulnerability security researchers have seen malicious actors believed to be working on behalf of the Chinese government. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a scanner for identifying vulnerable web servers affected by the recently disclosed Apache Log4j remote code execution vulnerabilities (CVE-2021-44228 and CVE-2021-45046).