Apache Log4j: If you want it, I want it!

Recently, another serious remote code execution vulnerability was discovered in the Apache Log4j logging library, now traced as CVE-2021-44832. This is the third RCE and fourth vulnerability in the Log4j library, followed by CVE-2021-44228 (RCE), CVE-2021-45046 (RCE), and CVE-2021-45105 (DoS attack).

Currently, the Apache team has released a new version of Log4j to fix this newly discovered vulnerability. According to cVE-2021-44832, Apache Log4j2 is vulnerable to RCE attacks through JDBC Appender when an attacker controls configuration.

CVE-2021-44832

Remote code execution

severity

ease

Base CVSS Score

6.6 (AV: N/AC: H/PR: H/UI: N/S: U/C: H/I: H/A: H)

The affected version

All versions from 2.0-Alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4

Apache Log4j2 2.0-Beta7 to 2.17.0 (not including security fix versions 2.3.2 and 2.12.4) is vulnerable to Remote code execution (RCE) attacks, An attacker with the right to modify the log configuration file could build a malicious configuration to use a JDBC Appender with a data source that references a JNDI URI that can execute remote code. This issue has been addressed by restricting the JNDI data source names to the Java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Log4j 1.x is not affected by this vulnerability. Affected users can upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later) to mitigate the vulnerability.

In previous versions, if you were using a JDBC Appender, make sure it was not configured to use any protocol other than Java. Officially, only log4J-core JAR files are affected by this vulnerability. Applications that use only log4J-API JAR files but not log4J-core JAR files are not affected by this vulnerability. In addition, Apache Log4j is the only logging service subproject affected by this vulnerability. Other projects such as Log4net and Log4cxx are not affected by this.

Release details

Starting with version 2.17.1 (and 2.12.4 and 2.3.2 for Java 7 and Java 6), JDBC appenders will use JndiManager, The log4j2.enableJNDIJDBC system property is required to contain a true value to enable JNDI.

The JNDI enablement property has been renamed from “log4j2.enableJNDI” to three separate properties: Log4j2 enableJndiLookup, log4j2. EnableJndiJms and log4j2. EnableJndiContextSelector.

JNDI functionality has been enhanced in versions 2.3.1, 2.12.2, 2.12.3, or 2.17.0. As of these releases, LDAP protocol support has been removed, and JNDI connections support only the JAVA protocol.

Details are available at here: logging.apache.org/log4j/2.x/s…

PS: In case you can’t find this article, please click “like” to browse and find it