Researchers disclosed a new vulnerability in the Log4j library. ASF confirmed that the vulnerability tracked as CVE-2021-44832 is a remote code execution vulnerability, which is rated 6.6 in severity out of 10. You don’t leave with an option to ignore this one again. Keeping the significance of the Log4j in mind, it is highly recommended to fix CVE-2021-44832, a remote code execution vulnerability in the Apache Log4j library. Let’s see how to fix CVE-2021-44832- A Remote Code Execution Vulnerability in Apache Log4j Library.
Table of Contents
Summary Of CVE-2021-44832:
The first thing is to know that this vulnerability is different from other JNDI lookup vulnerabilities. This RCE vulnerability could allow attackers to modify the logging configuration file to execute code via a data source referencing a JNDI URI.
Associated CVE ID | CVE-2021-44832 |
Description | Remote Code Execution vulnerability in Log4j Logging Library |
Associated ZDI ID | NA |
CVSS Score | 6.6 Moderate |
Vector | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Impact Score | NA |
Exploitability Score | NA |
Attack Vector (AV) | Network |
Attack Complexity (AC) | High |
Privilege Required (PR) | High |
User Interaction (UI) | None |
Scope | Unchanged |
Confidentiality (C) | High |
Integrity (I) | High |
availability (a) | High |
Exploit Code Maturity (E) | Proof-of-Concept (P) |
Remediation Level (RL) | Official Fix (O) |
Report Confidence (RC) | Confirmed (C) |
Log4j Versions Affected To CVE-2021-44832:
This vulnerability affects all Log4j versions starting from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4. When it comes to version 1.x, the vendor said it is not tested considering out of support. Apache foundation has recommended upgrading to Log4j 2.3.2 for those who use Java 6, Log4j 2.12.4 for those who use Java 7, or Log4j 2.17.1 for the users who use Java 8 and above.
How To Fix CVE-2021-44832 A Remote Code Execution Vulnerability In Log4j?
According to Apache Foundation, “Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.”
Apache Foundation
Apache foundation has recommended upgrading to Log4j 2.3.2 for those who use Java 6, Log4j 2.12.4 for those who use Java 7, or Log4j 2.17.1 for the users who use Java 8 and above.
Make a note of your Java version to upgrade the Log4j library.
Java 8 and above | Log4j 2.17.1 |
Java 7 | Log4j 2.12.4 |
java 6 | Log4j 2.3.2 |
Other mitigation guidelines to address the Remote Code Execution Vulnerability (CVE-2021-44832 ) is: Configure your JDBC Appender not to use any protocol other than Java.
Important points to be noted:
- Make sure prior releases don’t use JDBC Appender.
- Configure your JDBC Appender not to use any protocol other than Java.
- Applications that use log4j-core JAR file is vulnerable to this flaw.
- Applications using only the log4j-api JAR file without the log4j-core JAR file are no need to worry. Such applications are not affected by this vulnerability.
- Apache Log4j is the only Logging Services affected by this (CVE-2021-44832) vulnerability.
- Other subprojects such as Log4net and Log4cxx are not affected by this vulnerability.
- Please read the release notes of Log4j 2.17.1 here.
Other Log4j Vulnerabilities In 2021:
- A Critical 0-day Unauthenticated Remote Code Execution vulnerability in Log4j Logging Library (CVE-2021-44228) allows attackers to carry out unauthenticated, remote code execution attacks.
- A new vulnerability (CVE-2021-45046) Log4j library allows attackers to perform denial of service (DOS) attacks by crafting malicious input data using a JNDI Lookup pattern.
- CVE-2021-45105 was discovered as the third vulnerability within the month that allows attackers to perform Denial of Service due to infinite recursion in lookup evaluation.
- Now the latest discloser is that the Log4j is affected by CVE-2021-44832- A Remote Code Execution Vulnerability which is fixed in v2.17.1.
vulnerability | CVSS | Description | Fixed In |
CVE-2021-44228 | 10.0 Critical | Unauthenticated Remote Code Execution vulnerability in Log4j Logging Library | 2.15.0 |
CVE-2021-45046 | 3.7 Low | Denial of Service vulnerability in Log4j Logging Library | 2.16.0 |
CVE-2021-45105 | 7.5 High | Denial of Service vulnerability in Log4j Logging Library due to infinite recursion in lookup evaluation | 2.17.0 |
CVE-2021-44832 | 6.6 Medium | RCE vulnerability could allow attackers to modify the logging configuration file to execute code via a data source referencing a JNDI URI. | 2.17.1 |
We hope this post will help you know How to Fix CVE-2021-44832- A Remote Code Execution Vulnerability in Apache Log4j Library. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270111.html