Apache has published Log4j version 2.17.1, which fixes CVE-2021-44832, a newly found code execution flaw. Prior to that, the most recent version of Log4j, 2.17.0, was considered the safest release to update, however that advice has since changed the Log4j vulnerability resource center to reflect current download trends and statistics for 2.17.1.
CheckMarx researchers have revealed details about the vulnerability in Log4j version 2.17.0, which was just released. Apache released this version a few days after two other patches that addressed the major Log4Shell attack and related problems. By altering the Log4j logging configuration file, attackers might execute remote code on a variety of servers or apps. It's one of the most well-known security weaknesses on the internet, affecting enterprise and government customers who use Log4j versions 2.0 through 2.14.1 in their environments.
Last month, a security researcher discovered yet another zero-day vulnerability in the Apache Log4j Java-based logging library, which threat actors may use to execute malicious code on compromised frameworks. This week, Apache released another version (Log4j rendition 2.17.1) that aims to fix the remote code execution (RCE) flaw in v2.17.0.
Log4j is a well-known Java library built by the Apache Software Foundation, which is open-source. Designers use it to log error messages in large commercial systems and cloud administrations such as Minecraft, Steam, and Apple iCloud.
Apache acknowledged the issue in an advisory, describing the moderate-severity flaw (CVSS 6.6) as follows – Attribution link: An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI, which can execute remote code, in Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4).
The new Log4j CVE "only applies if an attacker can already edit the Log4j config file," according to security researcher Kevin Beaumont. "An attacker already owns your web app or host if they can edit your Log4j config file."
One of the most important lessons learned from the events surrounding Log4j is that it is humanly impossible for open source project maintainers to cover every possible attack vector while also correcting known vulnerabilities. This is why community-led vulnerability research and reporting is a benefit to open source. However, if not done properly, it can rapidly become a nuisance.
"Irresponsible disclosures jeopardize the work of open source projects and their maintainers, and if not handled, this problem will only get worse."
Another crucial point to note is that unlike the previous four Log4j CVEs revealed thus far, no one was credited with identifying CVE-2021-44832 according to Apache's official warning.