Apache releases security update for new vulnerability in log4j
Apache Software Foundation has released a security update for log4j and urges administrators to update. A new vulnerability in the software allows arbitrary code execution. The vulnerability is less severe than previous vulnerabilities.
To exploit the vulnerability, an attacker must be able to modify the logging configuration file. According to the discoverer, security researcher Yaniv Nizry, the vulnerability is therefore more complex than the original Log4Shell vulnerability. If the attacker modified the logging configuration file, they can then create a configuration. He uses JDBCApender with a reference to a ‘Java Naming and Directory Interface URI’, which can execute arbitrary code. That makes an exploit possible. In this way, the attacker can access the victim’s server via a remote shell.
The vulnerability is designated CVE-2021-44832 and has a vulnerability score of 6.6 on a scale of 1 to 10. Because the attacker must already have access to the logging configuration file, in practice the vulnerability is less easy to exploit than the serious vulnerability in the log4j tool that was exposed in early December. It is also less serious than the vulnerability that was discovered in the security update that appeared on it. Four vulnerabilities were discovered in log4j in the past few weeks.
In a blog post, Nizry explains how an attacker can use the exploit. He says that since Log4Shell, Apache’s software has been under a magnifying glass by security researchers, so it is not surprising that they discover more vulnerabilities in log4j. He emphasizes that in version 2.17.0 the main attack methods are blocked, but it is still possible to execute arbitrary code execution using the default configuration of log4j.
Nizry reported the vulnerability to Apache on Monday, December 27, and received a response the same day. A day later, Apache released a security update, version 2.17.1 of the software, which should disable the vulnerability. Apache prompts users to update to log4j 2.3.2 for Java 6, log4j 2.12.4 for Java 7, or version 2.17.1 for Java 8 and newer. The vulnerability is present in all versions of the software up to and including version 2.17.0. The update also addresses a vulnerability that could allow a denial of service attack.