29 December 2021

Apache releases Log4j security update to fix yet another vulnerability


Apache releases Log4j security update to fix yet another vulnerability

The Apache Software Foundation (ASF) has released a security update for its Log4j logging utility to address a newly discovered RCE flaw. The latest update marks the fifth security issue discovered in the software over the past month.

Tracked as CVE-2021-44832, the bug exists due to improper input validation and allows a remote user with permission to modify the logging configuration file construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2,” Apache said.

According to Checkmarx security researcher Yaniv Nizry who discovered the issue, the complexity of CVE-2021-44832 is higher than the original CVE-2021-44228 because it requires the attacker to have control over the configuration.

“Unlike Logback, in Log4j there is a feature to load a remote configuration file or to configure the logger through the code, so an arbitrary code execution could be achieved with [an] MitM attack, user input ending up in a vulnerable configuration variable, or modifying the config file,” Nizry explained.

Since the disclosure of Log4Shell (CVE-2021-44228), multiple threat actors were quick to incorporate the flaw into their attacks. Furthermore, among hacker groups that have been observed exploiting the vulnerability security researchers have seen malicious actors believed to be working on behalf of the Chinese government. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a scanner for identifying vulnerable web servers affected by the recently disclosed Apache Log4j remote code execution vulnerabilities (CVE-2021-44228 and CVE-2021-45046).

Back to the list

Latest Posts

Cyber security week in review: August 5, 2022

Cyber security week in review: August 5, 2022

The cybersecurity world in brief: Two crypto platforms targeted in multimillion-dollar attacks, hackers exploited an Atlassian Confluence bug to install a never-before-seen backdoor, and more.
5 August 2022
Threat actors exploit Atlassian Confluence bug to install a never-before-seen backdoor

Threat actors exploit Atlassian Confluence bug to install a never-before-seen backdoor

Ljl Backdoor is a fully-featured malware designed to gather files and user accounts, as well as system information.
4 August 2022
Thousands of Solana wallets drained in yet another multimillion exploit

Thousands of Solana wallets drained in yet another multimillion exploit

More than 8,000 wallets have been affected in the hack.
3 August 2022