In Log4j, a new vulnerability has been discovered that would allow remote code execution in certain cases. The Apache Software Foundation has now issued a security upgrade (Log4j 2.17.1) to address this ‘CVE-2021-44832’ vulnerability.
An attacker can change the logging configuration file and subsequently build a rogue configuration using a Java Naming and Directory Interface (JNDI) URI that executes code, which is present in Log4j2 versions 2.0-beta7 through 2.17.0 (except for versions 2.3.2 and 2.12.4).
The impact of the issue is graded lower than earlier RCE vulnerabilities in Log4j since an attacker must be able to edit the configuration file. CVE-2021-44832 has a vulnerability score of 6.6 on a scale of 1 to 10.
However, users should upgrade to Log4j 2.3.2 (Java 6), 2.12.4 (Java 7) or 2.17.1 (Java 8 and newer) as soon as feasible, according to the Apache Software Foundation.
Less Serious than Previous Vulnerabilities
The vulnerability is less straightforward to exploit in reality than the major hole in the log4j program that was discovered earlier this month since the attacker must already have access to the logging configuration file. It’s also less serious than the vulnerability found in the subsequent security update. In the last several weeks, four vulnerabilities in log4j in total have been uncovered.
To sum up, the four vulnerabilities found in Log4j over the past three weeks are the following:
- CVE-2021-45105: Allowing Denial of Service attacks (CVSS Score 5.9)
- CVE-2021-45046: Allowing Remote Code Execution (CVSS Score 9.0)
- CVE-2021-44228: Allowing Remote Code Execution (CVSS Score 10.0)
- CVE-2021-44832: Allowing Remote Code Execution (CVSS Score 6.6)
Read more on Log4j on HostingJournalist.com.