Apache has released Log4j 2.17.1, which fixes CVE-2021-44832, a newly found remote code execution (RCE) vulnerability in 2.17.0. The most current version of Log4j, 2.17.0, was considered the safest release to update. However, that recommendation has since changed.
Threat actors launched mass exploitation of the initial Log4Shell vulnerability (CVE-2021-44228) on December 9th, after a PoC exploit for it emerged on GitHub. Given Log4j’s widespread use in most Java applications, Log4Shell quickly became a nightmare for businesses and governments throughout the world.
While the original Log4Shell attack poses a serious threat, weaker vulnerability variations have been discovered in Log4j versions 2.15 and 2.16, which were previously thought to be fully fixed.
After discovering a DoS weakness in version 2.16, the advice quickly moved to update to version 2.17.0, which was judged the safest of all. However, a fifth vulnerability, an RCE flaw, has been identified in 2.17.0, and a fix has been deployed to the most recent release 2.17.1, which is currently available. The vulnerability is rated ‘Moderate’ in severity and has a CVSS score of 6.6. It is caused by log4j’s absence of further constraints on JDNI access.
Yaniv Nizry, a security researcher from Checkmarx, claimed credit for alerting Apache about the vulnerability. Nizry’s tweet went viral immediately, eliciting comments and memes from security professionals and ‘victims’ of the ongoing log4j-patching weariness.
“I hope this is a joke, I hope so much Pensive face #log4j,” tweeted one user in response.
“We are LONG past the point where the only responsible thing to do is put up a giant flashing neon sign that reads ‘LOG4J CANNOT BE FIXED, DO NOT USE IT FOR ANYTHING.'” taunted another.
Security expert Kevin Beaumont described the incident as another “failed Log4j disclosure in motion” during the holidays.
There was no formal advisory or memo disclosing the presence of an RCE problem in log4j 2.17 at the time of Nizry’s tweet. The tweet itself had no information on the vulnerability or how it might be exploited. Still, it prompted a slew of security experts and netizens to investigate the claim within minutes.
The Log4Shell exploit release on December 9th demonstrated that prematurely disclosing security vulnerabilities might entice threat actors to perform destructive scanning and exploitation operations.
The vulnerability identification (CVE-2021-44832) was initially discovered by Marc Rogers, VP of cybersecurity at Okta. The exploitation of the problem requires a non-default log4j setup with settings imported from a remote server.
Users of Log4j should update to version 2.17.1 (for Java 8) right away. The patch is scheduled to be provided soon in backported versions 2.12.4 (Java 7) and 2.3.2 (Java 6).