December 29, 2021

Apache has released new patches addressing a recently disclosed Remote Code Execution vulnerability.

The Vulnerability

CVE-2021-44832 (CVSS 3.1: 6.6) An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

Affected Versions

All Log4j versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4.

Log4j 1.x is not impacted by this vulnerability, but is impacted by the “Log4Shell” vulnerability and has reached End-of-Life support.

Fixed Versions

The vulnerability is fixed in:

• Log4j 2.17.1 (Java 8).
• Log4j 2.12.4 (Java 7).
• Log4j 2.3.2 (Java 6).

Mitigation

CYREBRO strongly recommends following the Apache mitigation steps:

• Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).
• In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

Also, note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.