Coming Soon...

Q-CERT website is currently under maintenance. We should be back shortly. Thank you for yor patience.

Remote Code Execution Vulnerability (CVE-2021-44832) Found in Apache Log4j

Issued: 
Thursday, 30 December, 2021
Last Revision: 
Thursday, 30 December, 2021
Vendor: 
Apache
Product: 
Multiple products
Severity Level: 
High
Summary: 

A new remote code execution (RCE) vulnerability has been discovered in Apache log4j 2.17.0, tracked as CVE-2021-44832, this vulnerability is rated "Moderate" in severity.

The vulnerability stems from the lack of additional controls on JDNI access in log4j2. By making use of JDBC Appender with a data source referencing a JNDI URI, an attacker with access to logging configuration file can build a malicious configuration which execute remote code on affected system. 

 

CVE/Vulnerability

                    Description 

CVSS3.0 Score

CVE-2021-44832

Remote Code Execution Vulnerability

6.6

 

 

Table 1: Vulnerability details 

 

 

 

 

CVE/Vulnerability 

Affected Product(s)

CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4)

 

 

                                                                       Table 2: Vulnerable versions                                  

 

 

 

 

 

 

Recommendation: 

Organizations are strongly encouraged to upgrade to Apache Log4j version 2.17.1.

 

References: 
Apache Log4j Security Vulnerabilities
CVE-2021-44832 Detail
CVE-2021-44832
Fifth Log4j CVE in under a month