Security Experts:

Another Remote Code Execution Vulnerability Patched in Log4j

The developers of Log4j have patched another remote code execution vulnerability affecting the widely used logging utility.

CVE-2021-44228, also known as Log4Shell, was identified in late November and it has been exploited in many attacks since early December. Since the discovery of this bug, security researchers have been increasingly interested in Log4j, which, unsurprisingly, has led to the discovery of several new vulnerabilities.

The latest flaw, tracked as CVE-2021-44832, has been patched with the release of Log4j 2.17.1, 2.12.4 and 2.3.2. The fix was released on December 28, just one day after it was reported to developers.

“Apache Log4j2 versions 2.0-beta7 through 2.17.0 are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code,” Log4j developers wrote in an advisory released on Tuesday.

The vulnerability has been assigned a severity rating of “moderate” with a CVSS score of 6.6, but it’s not uncommon for the severity ratings assigned to Log4j issues to change.

For example, a previously identified Log4j vulnerability, CVE-2021-45046, which can be exploited for denial-of-service (DoS) attacks, was initially classified as “medium severity” and later updated to “critical.” CVE-2021-45105, on the other hand, which is also a DoS vulnerability, was initially rated “high severity” and later changed to “medium.”

Log4Shell Tools and Resources for Defenders - Continuously Updated

Checkmarx, whose researchers discovered the latest flaw, on Tuesday published a blog post detailing CVE-2021-44832, which the cybersecurity firm described as a deserialization issue that doesn’t rely on the Lookup feature that Log4j developers disabled after the disclosure of Log4Shell to prevent abuse.

“The complexity of this vulnerability is higher than the original CVE-2021-44228 since it requires the attacker to have control over the configuration (like the ‘logback’ vulnerability CVE-2021-42550),” Checkmarx explained.

Casey Ellis, founder and CTO at Bugcrowd, noted that exploitation “requires a fairly obscure set of conditions to trigger.”

“While it's important for people to keep an eye out for newly released CVEs for situational awareness, this CVE doesn't appear to increase the already elevated risk of compromise via Log4j,” Ellis said.

“The vulnerability also appears to have been discovered through the use of static code analysis tools in conjunction with manual review/exploit development. As a logging library, Log4j is inherently flexible in terms of how data can be passed to it - each of these points of interaction is a potential vector for exploitation, and many eyes are currently scouring Log4j, so it’s fairly safe to expect more of this type of vulnerability announcement over the coming weeks,” he added.

*updated with comments from Casey Ellis

Related: CISA Says No Federal Agencies Compromised in Log4Shell Attacks to Date

Related: Chinese Government Punishes Alibaba for Not Telling It First About Log4Shell Flaw

Related: Five Eyes Nations Issue Joint Guidance on Log4j Vulnerabilities

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.