White Hat Institute

White Hat Institute Logo - I
Menu
Donate

The fifth security flaw has been uncovered in Log4j

  • December 29, 2021
log4j fifth security flaw

The Apache Software Foundation (ASF) released new fixes on Tuesday to address an arbitrary code execution bug in Log4j that may be exploited by cybercriminals to execute malicious scripts on vulnerable machines, making it the product’s fifth security vulnerability in less than a month. The bug, dubbed CVE-2021–44832, is graded 6.6 on a 10-point severity scale and affects all editions of the logging library from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4. While Log4j 1.x is unaffected, companies are advised to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).

According to an alert from the Apache Software Foundation, an adversary with the authority to edit the logging configuration file can generate a malicious setting using just a JDBC Appender with a data source specifying a JNDI URI that can execute remote code. In Log4j versions 2.17.1, 2.12.4, and 2.3.2, this problem is resolved by restricting JNDI data source names to the java protocol.

Despite the fact that the ASF gave no recognition for the vulnerability, Checkmarx security researcher Yaniv Nizry took the credit for submitting it to Apache on December 27.

The recent patch addresses a total of four problems in Log4j since the Log4Shell weakness was discovered earlier this month, not to mention a fifth weakness targeting versions Log4j 1.2 that will not be patched.

  • CVE-2021–44228 (CVSS score: 10.0) — A remote code execution flaw in Log4j versions 2.0-beta9 to 2.14.1. (Fixed in version 2.15.0)
  • CVE-2021–45046 (CVSS 9.0) — A remote code execution and data leak flaw impacting Log4j versions 2.0-beta9 to 2.15.0, except 2.12.2. (Fixed in version 2.16.0)
  • CVE-2021–45105 (CVSS score: 7.5) — Log4j versions 2.0-beta9 to 2.16.0 are vulnerable to a denial-of-service flaw (Fixed in version 2.17.0)
  • CVE-2021–4104 (CVSS score: 8.1) — Log4j version 1.2 suffers from an untrusted deserialization issue (No fix available; Upgrade to version 2.17.1)

 

The news comes as intelligence agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States released a combined advisory warning of malevolent enemies exploiting the weakness in Apache’s Log4j software library.