Apache Releases Log4j Version 2.17.1 to Patch New Remote Code Execution Vulnerability
Last month, a security researcher discovered a new zero-day exploit in the Apache Log4j Java-based logging library that threat actors could abuse to execute malicious code on affected systems. Apache has released a new update (Log4j version 2.17.1) this week that aims to address the remote code execution (RCE) vulnerability in v2.17.0.
For those unfamiliar, Log4j is a popular Java library developed by the open-source Apache Software Foundation. It’s used by developers to log error messages in enterprise apps and cloud services such as Minecraft, Steam, and Apple iCloud.
The original Log4Shell vulnerability, tracked as CVE-2021-44228, was first reported by Chen Zhaojun from Alibaba Cloud’s security team to Apache on November 24. According to the Internet infrastructure provider Cloudflare, the Log4j exploits started impacting vulnerable systems on December 1.
The vulnerability allowed attackers to execute remote code on various servers or applications by modifying the Log4j logging configuration file. It’s one of the most high-profile security flaws on the internet that significantly impacted enterprise and government customers running Log4j versions 2.0 to 2.14.1 in their ecosystems.
“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2,” Apache explained.
Fifth vulnerability affecting Log4j version 1.2 has not been fixed in this release
The latest update primarily addresses the four security flaws discovered in Log4j, and the list includes CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-4104. However, it is important to note that the fifth vulnerability affecting Log4j version 1.2 has not been fixed in this release.
The Apache Software Foundation recommends users immediately install Log4j version 2.17.1 (for Java 8 and later). Meanwhile, it is also planning to release a fix for Log4j versions 2.12.4 (for Java 7) and 2.3.2 (for Java 6) in the coming days.
More in Security
How to Enable Windows 11 Config Lock on Secured-Core PCs
Dec 2, 2022 | Dean Ellerby
Microsoft Defender Vulnerability Management Now Supports Firmware Assessments
Nov 29, 2022 | Rabia Noureen
Microsoft Entra Workload Identities Service is Now Generally Available
Nov 29, 2022 | Rabia Noureen
Microsoft Authenticator to Enable Number Matching Security Feature by Default in February 2023
Nov 21, 2022 | Rabia Noureen
Microsoft Defender for Endpoint Adds Network Protection on iOS and Android
Nov 11, 2022 | Rabia Noureen
What is a Software-Defined Perimeter?￼
Nov 11, 2022 | Sukesh Mudrakola
Most popular on petri