Last month, a security researcher discovered a new zero-day exploit in the Apache Log4j Java-based logging library that threat actors could abuse to execute malicious code on affected systems. Apache has released a new update (Log4j version 2.17.1) this week that aims to address the remote code execution (RCE) vulnerability in v2.17.0.
For those unfamiliar, Log4j is a popular Java library developed by the open-source Apache Software Foundation. It’s used by developers to log error messages in enterprise apps and cloud services such as Minecraft, Steam, and Apple iCloud.
The original Log4Shell vulnerability, tracked as CVE-2021-44228, was first reported by Chen Zhaojun from Alibaba Cloud’s security team to Apache on November 24. According to the Internet infrastructure provider Cloudflare, the Log4j exploits started impacting vulnerable systems on December 1.
The vulnerability allowed attackers to execute remote code on various servers or applications by modifying the Log4j logging configuration file. It’s one of the most high-profile security flaws on the internet that significantly impacted enterprise and government customers running Log4j versions 2.0 to 2.14.1 in their ecosystems.
“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2,” Apache explained.
Fifth vulnerability affecting Log4j version 1.2 has not been fixed in this release
The latest update primarily addresses the four security flaws discovered in Log4j, and the list includes CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-4104. However, it is important to note that the fifth vulnerability affecting Log4j version 1.2 has not been fixed in this release.
The Apache Software Foundation recommends users immediately install Log4j version 2.17.1 (for Java 8 and later). Meanwhile, it is also planning to release a fix for Log4j versions 2.12.4 (for Java 7) and 2.3.2 (for Java 6) in the coming days.