CVE-2021-44832: Apache Log4j2 Remote Code Execution Vulnerability Alert
Another serious remote code execution vulnerability was discovered in the Apache Log4j log library, which is now tracked as CVE-2021-44832. This is the third RCE and fourth vulnerability in the Log4j library, followed by CVE-2021-44228 (RCE), CVE-2021-45046 (RCE), and CVE-2021-45105 (DoS).
Apache Log4j is a Java-based logging utility. It was originally written by Ceki Gülcü and is part of the Apache Logging Services project of the Apache Software Foundation. Log4j is one of several Java logging frameworks. Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback’s architecture.
Currently, Apache has released Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later) to fix this newly discovered vulnerability. According to the introduction, CVE-2021-44832 shows that when the attacker controls the configuration, Apache Log4j2 is vulnerable to attacks through the JDBC Appender. Log4j 1.x is not affected by this vulnerability.
Vulnerability Detail
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Starting from version 2.17.1 (and 2.12.4 and 2.3.2 for Java 7 and Java 6), JDBC Appender will use JndiManager and require the log4j2.enableJndiJdbc system property to contain a true value to enable JNDI. The property to enable JNDI has been renamed from ‘log4j2.enableJndi’ to three separate properties: log4j2.enableJndiLookup, log4j2.enableJndiJms, and log4j2.enableJndiContextSelector. JNDI functionality has been hardened in these versions: 2.3.1, 2.12.2, 2.12.3, or 2.17.0: from these versions onwards, support for the LDAP protocol has been removed and only the JAVA protocol is supported in JNDI connections.
