Another serious remote code execution vulnerability has been discovered in the Apache Log4j log library, now tracked as CVE-2021-44832. This is the third RCE and fourth vulnerability in the Log4j library, followed by CVE-2021-44228 (RCE), CVE-2021-45046 (RCE), and CVE-2021 -45105 (DoS attack).
The Apache team has now released a new Log4j version to fix this newly discovered vulnerability. According to the introduction, CVE-2021-44832 shows that Apache Log4j2 is vulnerable to RCE attacks via the JDBC Appender when an attacker controls the configuration.
|CVE-2021-44832||Remote Code Execution|
|Base CVSS Score||6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)|
|Affected versions||All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4|
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fixes 2.3.2 and 2.12.4) are vulnerable to remote code execution (RCE) attacks, in which an attacker with the right to modify the logging configuration file can build a malicious configuration to use the JDBC Appender with a data source that references a JNDI URI that JNDI URI can execute remote code. This issue has been resolved by restricting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Log4j 1.x is not affected by this vulnerability. Affected users can upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later) to mitigate this vulnerability.
In previous versions, if the JDBC Appender is being used, please make sure it is not configured to use any protocol other than Java. Officially, we caution that only log4j-core JAR files are affected by this vulnerability. Applications that use only log4j-api JAR files and not log4j-core JAR files are not affected by this vulnerability. In addition, Apache Log4j is the only logging service subproject affected by this vulnerability. other projects such as Log4net and Log4cxx are not affected by this vulnerability.
Starting with version 2.17.1 (and 2.12.4 and 2.3.2 for Java 7 and Java 6), the JDBC Appender will use JndiManager and require the log4j2.enableJndiJdbc system property to contain a true value to enable JNDI.
The JNDI-enabled properties have been renamed from “log4j2.enableJndi” to three separate properties: log4j2.enableJndiLookup, log4j2.enableJndiJms, and log4j2. enableJndiContextSelector.
JNDI functionality has been enhanced in the following releases: 2.3.1, 2.12.2, 2.12.3 or 2.17.0. As of these releases, support for the LDAP protocol has been removed and JNDI connections are only supported for the JAVA protocol.
Details can be found here.