The Log4j vulnerability has been upgraded with another patch from Apache, which includes a fix for a new remote code execution problem. After being discovered that a severe flaw permitted malignant hackers without any prior knowledge to run scripts remotely, the logging product has generated significant interest in the cybersecurity area throughout December.
The vulnerability in the original logger has now been addressed, but the newer model had its own problems, albeit not as severe as the initial. Another problem arose soon after the hole was filled. Log4j 2.17.1 has now been released to address the most recent security flaw (CVE-2021-44832). Following notification, users have been advised to update their software as soon as possible.
A Log4j patch
The most recent security hole is a remote code execution vulnerability in Log4j due to the absence of additional restrictions on JDNI access. The flaw has been given a score of 6.6/10 by the Common Vulnerability Scoring System (CVSS), which classifies it as “Moderate.”
When writing JndiAppender documents, you should use the JndiManager class. When reading JNDI, use a system property to restrict access.
“Related to CVE-2021-44832 where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.”
The Log4j vulnerability, known as Log4Shell, was coined after the original Log4j bug. It permitted attackers to execute practically any code remotely and became a global concern for firms and government agencies worldwide.
The CISA’s director, Mary Beth Rundle, said the bug was “one of the most severe” she’d ever seen in her career, “if not the most severe.”