Following the “Log4Shell” mayhem, Apache has released multiple updates to its Log4j library addressing the bugs. Another Log4j update has surfaced online, patching a code execution vulnerability this week. Users must ensure updating to Log4j 2.17.1 to receive the patch.
Log4j 2.17.1 Addresses A Code Execution Bug
Researchers from CheckMarx have shared insights about the vulnerability in the recently released Log4j version 2.17.0.
Apache rolled out this update days after releasing two different updates fixing the critical Log4Shell exploit and related bugs. Specifically, version 2.17.0 arrived as the third major update that fixed a remote code execution vulnerability triggered via WebSocket connections. While it wasn’t as severe a vulnerability as the Log4Shell, it still posed a significant security risk to the users.
While that update seemingly appeared a final release (at least for some time), CheckMarx researchers found another issue affecting this Log4j version.
As elaborated in a post, the researchers found this vulnerability while auditing Log4j “in the hope of finding something interesting.” Eventually, they found a deserialization vulnerability that didn’t use the disabled lookup feature.
Due to the lack of security checks on accessing JDNI access, an adversary could upload malicious Log4j configuration files leading to code execution. The researchers have shared the details and the PoC exploit in their post.
After finding this vulnerability (CVE-2021-44832), the researchers responsibly disclosed it to Apache, which then worked to develop the fix.
Acknowledging the matter in an advisory, Apache described this moderate-severity vulnerability (CVSS 6.6) as,
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
Consequently, the vendors fixed it by “limiting JNDI data source names to the java protocol” with the latest Log4j versions. Thus, users should update to Log4j 2.17.1, 2.12.4, and 2.3.2, respectively, to get the patches.