Another remote code execution vulnerability has been identified in the Log4j Java-based logging utility, this time in version 2.17.0.
Several vulnerabilities in Log4j have been identified over the past month, the first of which was the Log4Shell vulnerability – CVE-2021-44228 – that was fixed in version 2.15.0. The vulnerability was rapidly exploited by threat actors, with the first attacks exploiting the vulnerability occurring on December 9, 2021.
A further vulnerability, a critical (CVSS 9.0) Denial-of-Service bug, was then identified. The flaw, tracked as CVE-2021-45046, was due to an incomplete fix of the CVE-2021-44228 vulnerability. This issue was corrected in version 2.16.0. Then two high severity vulnerabilities – CVE-2021-4104 and CVE-2021-45105 – were identified and fixed in version 2.17.0, and a moderate severity vulnerability in the logback logging framework, CVE-2021-42550, was also detected and fixed.
The latest RCE vulnerability, tracked as CVE-2021-44832, only affects Log4j version 2.17.0. The vulnerability is an RCE flaw but has only been assigned a moderate severity score of 6.6 out of 10. The flaw is due to a lack of additional controls on JDNI access in Log4j.
The relatively low severity score is due to an attacker requiring permission to modify the logging configuration file. Also, not all deployments of 2.17.0 are affected, as there are non-default preconditions for exploiting the vulnerability. The vulnerability is also more complex to exploit than the original Log4Shell vulnerability.
CVE-2021-44832 could be exploited in a MITM attack, which would require an attacker to create a malicious configuration using a JDBC Appender with a data source that references a JNDI URL to achieve remote execute code.
IT professionals are likely to be suffering from patch fatigue after updating Log4j to 2.15.0, then 2.16.0, and again to 2.17.0, but it is advisable to update Log4j once again to the latest version – 2.17.1 – to prevent exploitation.
The vulnerability was identified by Checkmarx security researcher Yaniv Nizry. Apache was notified about the flaw on December 27, Checkmarx customers were warned about the flaw on December 28 without disclosing details of the vulnerability, the bug was assigned a CVE on December 28 and version 2.17.1 was released to fix the flaw.