Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Another Remote Code Execution Vulnerability Patched in Log4j

The developers of Log4j have patched another remote code execution vulnerability affecting the widely used logging utility.

The developers of Log4j have patched another remote code execution vulnerability affecting the widely used logging utility.

CVE-2021-44228, also known as Log4Shell, was identified in late November and it has been exploited in many attacks since early December. Since the discovery of this bug, security researchers have been increasingly interested in Log4j, which, unsurprisingly, has led to the discovery of several new vulnerabilities.

The latest flaw, tracked as CVE-2021-44832, has been patched with the release of Log4j 2.17.1, 2.12.4 and 2.3.2. The fix was released on December 28, just one day after it was reported to developers.

“Apache Log4j2 versions 2.0-beta7 through 2.17.0 are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code,” Log4j developers wrote in an advisory released on Tuesday.

The vulnerability has been assigned a severity rating of “moderate” with a CVSS score of 6.6, but it’s not uncommon for the severity ratings assigned to Log4j issues to change.

For example, a previously identified Log4j vulnerability, CVE-2021-45046, which can be exploited for denial-of-service (DoS) attacks, was initially classified as “medium severity” and later updated to “critical.” CVE-2021-45105, on the other hand, which is also a DoS vulnerability, was initially rated “high severity” and later changed to “medium.”

Log4Shell Tools and Resources for Defenders – Continuously Updated

Checkmarx, whose researchers discovered the latest flaw, on Tuesday published a blog post detailing CVE-2021-44832, which the cybersecurity firm described as a deserialization issue that doesn’t rely on the Lookup feature that Log4j developers disabled after the disclosure of Log4Shell to prevent abuse.

Advertisement. Scroll to continue reading.

“The complexity of this vulnerability is higher than the original CVE-2021-44228 since it requires the attacker to have control over the configuration (like the ‘logback’ vulnerability CVE-2021-42550),” Checkmarx explained.

Casey Ellis, founder and CTO at Bugcrowd, noted that exploitation “requires a fairly obscure set of conditions to trigger.”

“While it’s important for people to keep an eye out for newly released CVEs for situational awareness, this CVE doesn’t appear to increase the already elevated risk of compromise via Log4j,” Ellis said.

“The vulnerability also appears to have been discovered through the use of static code analysis tools in conjunction with manual review/exploit development. As a logging library, Log4j is inherently flexible in terms of how data can be passed to it – each of these points of interaction is a potential vector for exploitation, and many eyes are currently scouring Log4j, so it’s fairly safe to expect more of this type of vulnerability announcement over the coming weeks,” he added.

*updated with comments from Casey Ellis

Related: CISA Says No Federal Agencies Compromised in Log4Shell Attacks to Date

Related: Chinese Government Punishes Alibaba for Not Telling It First About Log4Shell Flaw

Related: Five Eyes Nations Issue Joint Guidance on Log4j Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.