Another vulnerability has been discovered for Log4j and the Apache Foundation has therefore released another patch. Version Log4j 2.17.1 should again fix remote code execution.
The now-found vulnerability, CVE-2021-44832, for Log4j is found in version 2.17.0. The vulnerability allows hackers who have permission to modify the logging configuration file to set up a malicious configuration for remote code execution.
The vulnerability now found affects all versions, including the recent ones, from Log4j 2.0-alpha to 2.17.0. Only versions 2.3.2 and 2.12.4 are not affected.
Restriction JDNI data source names
The patch closes the vulnerability by, among other things, limiting the JDNI data source names in Log4j in version 2.17.1 and previous patches to the Java protocol. This also applies to version 2.12.4 for Java 8 and 2.3.2 for Java 6.
More Log4j vulnerabilities expected
Researchers identified the vulnerability using standard static code analysis tools combined with manual investigation. According to experts, the vulnerability found is not as malicious as it seems, but the patches must be implemented. They expect more Log4j vulnerabilities to come to light in the near future. These will of course also have to be patched.