Connect with us

Hi, what are you looking for?



Another Remote Code Execution Vulnerability Patched in Log4j

The developers of Log4j have patched another remote code execution vulnerability affecting the widely used logging utility.

The developers of Log4j have patched another remote code execution vulnerability affecting the widely used logging utility.

CVE-2021-44228, also known as Log4Shell, was identified in late November and it has been exploited in many attacks since early December. Since the discovery of this bug, security researchers have been increasingly interested in Log4j, which, unsurprisingly, has led to the discovery of several new vulnerabilities.

The latest flaw, tracked as CVE-2021-44832, has been patched with the release of Log4j 2.17.1, 2.12.4 and 2.3.2. The fix was released on December 28, just one day after it was reported to developers.

“Apache Log4j2 versions 2.0-beta7 through 2.17.0 are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code,” Log4j developers wrote in an advisory released on Tuesday.

The vulnerability has been assigned a severity rating of “moderate” with a CVSS score of 6.6, but it’s not uncommon for the severity ratings assigned to Log4j issues to change.

For example, a previously identified Log4j vulnerability, CVE-2021-45046, which can be exploited for denial-of-service (DoS) attacks, was initially classified as “medium severity” and later updated to “critical.” CVE-2021-45105, on the other hand, which is also a DoS vulnerability, was initially rated “high severity” and later changed to “medium.”

Log4Shell Tools and Resources for Defenders – Continuously Updated

Advertisement. Scroll to continue reading.

Checkmarx, whose researchers discovered the latest flaw, on Tuesday published a blog post detailing CVE-2021-44832, which the cybersecurity firm described as a deserialization issue that doesn’t rely on the Lookup feature that Log4j developers disabled after the disclosure of Log4Shell to prevent abuse.

“The complexity of this vulnerability is higher than the original CVE-2021-44228 since it requires the attacker to have control over the configuration (like the ‘logback’ vulnerability CVE-2021-42550),” Checkmarx explained.

Casey Ellis, founder and CTO at Bugcrowd, noted that exploitation “requires a fairly obscure set of conditions to trigger.”

“While it’s important for people to keep an eye out for newly released CVEs for situational awareness, this CVE doesn’t appear to increase the already elevated risk of compromise via Log4j,” Ellis said.

“The vulnerability also appears to have been discovered through the use of static code analysis tools in conjunction with manual review/exploit development. As a logging library, Log4j is inherently flexible in terms of how data can be passed to it – each of these points of interaction is a potential vector for exploitation, and many eyes are currently scouring Log4j, so it’s fairly safe to expect more of this type of vulnerability announcement over the coming weeks,” he added.

*updated with comments from Casey Ellis

Related: CISA Says No Federal Agencies Compromised in Log4Shell Attacks to Date

Related: Chinese Government Punishes Alibaba for Not Telling It First About Log4Shell Flaw

Related: Five Eyes Nations Issue Joint Guidance on Log4j Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.