Apache has released yet another patch for the now-infamous Log4j utility, which delivers a fix for a new remote code execution vulnerability.
The logging utility has been the center of attention in the cybersecurity community for much of December, after a major vulnerability was discovered that enabled malicious actors with very limited knowledge to run scripts remotely.
This gaping hole has since been patched, but the newer version of the logger came with flaws of its own, albeit not as dangerous as the original. Soon after that vulnerability was patched, yet another issue was discovered.
With Log4j version 2.17.1., the latest vulnerability (tracked as CVE-2021-44832), has now been fixed. All users have been urged to prioritize the update.
Another Log4j patch
The latest vulnerability is classified as a remote code execution flaw, stemming from the lack of extra controls on JDNI access in Log4j. As BleepingComputer reports, the flaw is rated “Moderate” in severity, and has been assigned a score of 6.6/10 as per the Common Vulnerability Scoring System (CVSS).
“JDBC Appender should use JndiManager when accessing JNDI. JNDI access should be controlled via a system property,” the flaw description explains.
“Related to CVE-2021-44832 where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.”
The original Log4j vulnerability, tracked as CVE-2021-44228, was given the nickname Log4Shell. It allowed crooks to run virtually any code remotely and, given the widespread use of Log4j, quickly became a nightmare for corporations and government organizations around the world.
Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency (CISA), described it as “one of the most serious” flaws she’s seen in her entire career, “if not the most serious”.
- You might also want to check out our list of the best antivirus solutions around today