The Apache Software Foundation (ASF) released new fixes on Tuesday to address an arbitrary code execution bug in Log4j that may be exploited by cybercriminals to execute malicious scripts on vulnerable machines, making it the product’s fifth security vulnerability in less than a month. The bug, dubbed CVE-2021–44832, is graded 6.6 on a 10-point severity scale and affects all editions of the logging library from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4. While Log4j 1.x is unaffected, companies are advised to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).
According to an alert from the Apache Software Foundation, an adversary with the authority to edit the logging configuration file can generate a malicious setting using just a JDBC Appender with a data source specifying a JNDI URI that can execute remote code. In Log4j versions 2.17.1, 2.12.4, and 2.3.2, this problem is resolved by restricting JNDI data source names to the java protocol.
Despite the fact that the ASF gave no recognition for the vulnerability, Checkmarx security researcher Yaniv Nizry took the credit for submitting it to Apache on December 27.
The recent patch addresses a total of four problems in Log4j since the Log4Shell weakness was discovered earlier this month, not to mention a fifth weakness targeting versions Log4j 1.2 that will not be patched.
The news comes as intelligence agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States released a combined advisory warning of malevolent enemies exploiting the weakness in Apache’s Log4j software library.