Apache Releases Log4j Version 2.17.1 to Patch New Remote Code Execution Vulnerability
Last month, a security researcher discovered a new zero-day exploit in the Apache Log4j Java-based logging library that threat actors could abuse to execute malicious code on affected systems. Apache has released a new update (Log4j version 2.17.1) this week that aims to address the remote code execution (RCE) vulnerability in v2.17.0.
For those unfamiliar, Log4j is a popular Java library developed by the open-source Apache Software Foundation. It’s used by developers to log error messages in enterprise apps and cloud services such as Minecraft, Steam, and Apple iCloud.
The original Log4Shell vulnerability, tracked as CVE-2021-44228, was first reported by Chen Zhaojun from Alibaba Cloud’s security team to Apache on November 24. According to the Internet infrastructure provider Cloudflare, the Log4j exploits started impacting vulnerable systems on December 1.
The vulnerability allowed attackers to execute remote code on various servers or applications by modifying the Log4j logging configuration file. It’s one of the most high-profile security flaws on the internet that significantly impacted enterprise and government customers running Log4j versions 2.0 to 2.14.1 in their ecosystems.
“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2,” Apache explained.
Fifth vulnerability affecting Log4j version 1.2 has not been fixed in this release
The latest update primarily addresses the four security flaws discovered in Log4j, and the list includes CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-4104. However, it is important to note that the fifth vulnerability affecting Log4j version 1.2 has not been fixed in this release.
The Apache Software Foundation recommends users immediately install Log4j version 2.17.1 (for Java 8 and later). Meanwhile, it is also planning to release a fix for Log4j versions 2.12.4 (for Java 7) and 2.3.2 (for Java 6) in the coming days.
More in Security
Microsoft Defender for Endpoint Adds Tamper Protection on macOS
Aug 16, 2022 | Rabia Noureen
Microsoft Sentinel Now Lets IT Admins Detect Low and Slow Password Spray Attacks
Aug 15, 2022 | Rabia Noureen
Google Workspace Adds Stronger Protections to Sensitive Accounts
Aug 11, 2022 | Rabia Noureen
Slack Releases Fix for Critical Bug That Exposed Hashed Passwords for Years
Aug 8, 2022 | Rabia Noureen
Microsoft Defender Experts for Hunting Lets Businesses Proactively Hunt Security Threats
Aug 4, 2022 | Rabia Noureen
VMware Releases Updates to Address Critical Authentication Bypass Flaw
Aug 3, 2022 | Rabia Noureen
Most popular on petri