Science & Technology

Apache releases Log4j patch to address new RCE vulnerability

The Apache Software Foundation has released a new patch for Log4j, the Java-based logging utility that has seen vulnerabilities targeted en masse by hackers since Dec. 13.

Log4j 2.17.1, the fifth update this month, addresses a new remote code execution vulnerability found in 2.17.0. CVE-2021-44832 allows an attacker with permission to modify the logging configuration file to construct a malicious configuration that allows for remote code execution. The vulnerability affects all versions of Log4j from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4.

The new vulnerability has been fixed by limiting JDNI data source names to the Java protocol in Log4j version 2.17.1 along with patches for earlier releases, 2.12.4 for Java 8 and 2.3.2 for Java 6.

The vulnerability has a Common Vulnerability Scoring System score of 6.6. As researchers at Snyk Ltd. noted today, it’s not as bad as it sounds, although they added that those running Log4j should apply the new patches.

“The Log4j CVE being released today requires a fairly obscure set of conditions to trigger,” Casey Ellis, founder and chief technology officer at crowdsourced security company Bugcrowd Inc., told SiliconANGLE. “So, while it’s important for people to keep an eye out for newly released CVEs for situational awareness, this CVE doesn’t appear to increase the already elevated risk of compromise via Log4j.”

Ellis explained that the vulnerability appears to have been discovered through the use of static code analysis tools in conjunction with manual review/exploit development. “As a logging library, Log4j is inherently flexible in terms of how data can be passed to it — each of these points of interaction is a potential vector for exploitation,” Ellis noted. “Many eyes are currently scouring Log4j, so it’s fairly safe to expect more of this type of vulnerability announcement over the coming weeks. In the interest of staying as up-to-date as possible with Log4j — especially if the configurations required for exploiting CVE-2021-44832 — patching to 2.17.1 is a good idea.”

Image: Apache

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *