Apache has released another patch for the now infamous Log4j utility, which fixes a new remote code execution vulnerability.
The logging utility has been the focus of the cybersecurity community for much of December, following the discovery of a major vulnerability that allowed malicious actors with very limited knowledge to execute remote scripts.
This huge hole has since been fixed, but the newer version of the recorder had its own flaws, although not nearly as dangerous as the original. Shortly after fixing this vulnerability, another issue was discovered.
With Log4j version 2.17.1., The latest vulnerability (tracked as CVE-2021-44832), has now been fixed. All users were asked to prioritize the update.
Another patch from Log4j
The last vulnerability is classified as a remote code execution vulnerability, as a result of the lack of additional controls on JDNI access in Log4j. As reported by BleepingComputer, the vulnerability is rated "moderate" in severity and received a rating of 6.6/10 according to the Common Vulnerability Scoring System (CVSS).
"The JDBC Appender must use the JndiManager to access JNDI. Access to JNDI must be controlled via a system property," the vulnerability description explains.
"Related to CVE-2021-44832, where an attacker with permission to modify the registry configuration file can build a malicious configuration using a JDBC appender with a data source referencing a JNDI URI that can remotely execute code ."
The original Log4j vulnerability, tracked as CVE-2021-44228, was nicknamed Log4Shell. It allowed criminals to execute virtually any code remotely, and given the widespread use of Log4j, it quickly became a nightmare for businesses and government organizations around the world.
Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), described it as "one of the most serious flaws" she has seen in her entire career, "if not the most serious".
- You can also check out our list of the best antivirus solutions available today.
Via BleepingComputer