New Apache Log4j Update Released to Patch Newly Discovered Vulnerability

Lavanya Rao K

December 30, 2021

Log4j is a popular Java library developed by the open-source Apache Software Foundation. Developers use it to log error messages in apps and cloud services such as Minecraft, Steam, and Apple iCloud. This software is publicly accessible and collects and stores activity records on a server. This week, Apache released a new update (Log4j version 2.17.1) that addressed the remote code execution (RCE) vulnerability in v2.17.0. The original Log4Shell vulnerability tracked as CVE-2021-44228 and rated 6.6 in severity on a scale of 10 was first reported by Alibaba Cloud’s security team. The vulnerability allowed attackers to execute remote code on various servers or applications by modifying the Log4j logging configuration file. The vulnerability discovered allows malicious attackers to execute code remotely on any targeted computer, letting hackers steal data or take control over the system. This vulnerability can expose organizations to new waves of cybersecurity risks, which the attackers can exploit using RCE. The vulnerability presents a large attack surface, mainly due to the ubiquitous use of the Log4j library in Java software. One of the most high-profile security flaws on the internet significantly impacted enterprise and government customers running Log4j versions 2.0 to 2.14.1 in their ecosystems. The latest update primarily addresses the four security flaws discovered in Log4j, and the list includes CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-4104. However, the fifth vulnerability affecting Log4j version 1.2 has not been fixed in this release. The Apache Software Foundation recommends that users immediately install Log4j version 2.17.1 (for Java 8 and later). Meanwhile, it is also planning to release a fix for Log4j versions 2.12.4 (for Java 7) and 2.3.2 (for Java 6) in the coming days. the company also recommended installing security solutions on the servers. This will allow one to detect the launch of malicious code and stop the attack’s development

Abridged fromThe Hacker News