Yet another Log4j patch hoovers up new remote code execution bug

By Scott Marlette Last updated Dec 29, 2021

Apache has released yet another patch for the now-infamous Log4j utility, which delivers a fix for a new remote code execution vulnerability.

The logging utility has been the center of attention in the cybersecurity community for much of December, after a major vulnerability was discovered that enabled malicious actors with very limited knowledge to run scripts remotely.

This gaping hole has since been patched, but the newer version of the logger came with flaws of its own, albeit not as dangerous as the original. Soon after that vulnerability was patched, yet another issue was discovered.

With Log4j version 2.17.1., the latest vulnerability (tracked as CVE-2021-44832), has now been fixed. All users have been urged to prioritize the update.

Another Log4j patch

The latest vulnerability is classified as a remote code execution flaw, stemming from the lack of extra controls on JDNI access in Log4j. As BleepingComputer reports, the flaw is rated “Moderate” in severity, and has been assigned a score of 6.6/10 as per the Common Vulnerability Scoring System (CVSS).

“JDBC Appender should use JndiManager when accessing JNDI. JNDI access should be controlled via a system property,” the flaw description explains.

“Related to CVE-2021-44832 where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.”

The original Log4j vulnerability, tracked as CVE-2021-44228, was given the nickname Log4Shell. It allowed crooks to run virtually any code remotely and, given the widespread use of Log4j, quickly became a nightmare for corporations and government organizations around the world.

Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency (CISA), described it as “one of the most serious” flaws she’s seen in her entire career, “if not the most serious”.

You might also want to check out our list of the best antivirus solutions around today

Via BleepingComputer

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.