
close
close
Last month, a security researcher discovered a new zero-day exploit in the Apache Log4j Java-based logging library that threat actors could abuse to execute malicious code on affected systems. Apache has released a new update (Log4j version 2.17.1) this week that aims to address the remote code execution (RCE) vulnerability in v2.17.0.
For those unfamiliar, Log4j is a popular Java library developed by the open-source Apache Software Foundation. It’s used by developers to log error messages in enterprise apps and cloud services such as Minecraft, Steam, and Apple iCloud.
advertisment
The original Log4Shell vulnerability, tracked as CVE-2021-44228, was first reported by Chen Zhaojun from Alibaba Cloud’s security team to Apache on November 24. According to the Internet infrastructure provider Cloudflare, the Log4j exploits started impacting vulnerable systems on December 1.
The vulnerability allowed attackers to execute remote code on various servers or applications by modifying the Log4j logging configuration file. It’s one of the most high-profile security flaws on the internet that significantly impacted enterprise and government customers running Log4j versions 2.0 to 2.14.1 in their ecosystems.
“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2,” Apache explained.
The latest update primarily addresses the four security flaws discovered in Log4j, and the list includes CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-4104. However, it is important to note that the fifth vulnerability affecting Log4j version 1.2 has not been fixed in this release.
advertisment
The Apache Software Foundation recommends users immediately install Log4j version 2.17.1 (for Java 8 and later). Meanwhile, it is also planning to release a fix for Log4j versions 2.12.4 (for Java 7) and 2.3.2 (for Java 6) in the coming days.
More from Rabia Noureen
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Security
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft's New Security Experts Service Protects Businesses Against Ransomware Attacks
May 9, 2022 | Rabia Noureen
Microsoft, Google, and Apple to Expand Passwordless Login Across All Major Platforms
May 5, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group