Apache Releases Log4j Version 2.17.1 to Patch New Remote Code Execution Vulnerability
Last month, a security researcher discovered a new zero-day exploit in the Apache Log4j Java-based logging library that threat actors could abuse to execute malicious code on affected systems. Apache has released a new update (Log4j version 2.17.1) this week that aims to address the remote code execution (RCE) vulnerability in v2.17.0.
For those unfamiliar, Log4j is a popular Java library developed by the open-source Apache Software Foundation. It’s used by developers to log error messages in enterprise apps and cloud services such as Minecraft, Steam, and Apple iCloud.
The original Log4Shell vulnerability, tracked as CVE-2021-44228, was first reported by Chen Zhaojun from Alibaba Cloud’s security team to Apache on November 24. According to the Internet infrastructure provider Cloudflare, the Log4j exploits started impacting vulnerable systems on December 1.
The vulnerability allowed attackers to execute remote code on various servers or applications by modifying the Log4j logging configuration file. It’s one of the most high-profile security flaws on the internet that significantly impacted enterprise and government customers running Log4j versions 2.0 to 2.14.1 in their ecosystems.
“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2,” Apache explained.
Fifth vulnerability affecting Log4j version 1.2 has not been fixed in this release
The latest update primarily addresses the four security flaws discovered in Log4j, and the list includes CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-4104. However, it is important to note that the fifth vulnerability affecting Log4j version 1.2 has not been fixed in this release.
The Apache Software Foundation recommends users immediately install Log4j version 2.17.1 (for Java 8 and later). Meanwhile, it is also planning to release a fix for Log4j versions 2.12.4 (for Java 7) and 2.3.2 (for Java 6) in the coming days.
More in Security
Microsoft Releases Patches to Address Azure FabricScape Flaw Affecting Linux Workloads
Jun 29, 2022 | Rabia Noureen
Microsoft Defender for Identity Can Now Detect Insecure Domain Configurations
Jun 27, 2022 | Rabia Noureen
CISA Warns Unpatched VMware Servers Remain Vulnerable to Log4Shell
Jun 24, 2022 | Rabia Noureen
QNAP Releases Patch to Fix PHP Security Flaw Affecting Select NAS Devices
Jun 23, 2022 | Rabia Noureen
Microsoft Unveils New Edge Secured-Core IoT Devices to Block Firmware Attacks
Jun 22, 2022 | Rabia Noureen
QNAP Warns NAS Users About New DeadBolt Ransomware Campaign
Jun 20, 2022 | Rabia Noureen
Most popular on petri