Apache releases Log4j 2.17.1 / 2.12.4 / 2.3.2 to Address CVE-2021-44832

After the initial discovery of CVE-2021-44228, a critical remote code execution (RCE) vulnerability in Apache Log4j, researchers have continued to closely examine Log4j and additional vulnerabilities have since been disclosed. However each additional vulnerability has had some caveats for exploitation and were not exploitable in default configurations.

A new RCE vulnerability, CVE-2021-44832 has been released today by Apache and was given a “Moderate” severity rating with a CVSSv3 score of 6.6. This vulnerability can be exploited by an attacker with permission to modify the configuration file used by log4j. An attacker with these privileges could “construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.”  Because of the requirement to be able to modify the configuration file, exploitation is less likely for most users of Log4j. Apache has released Log4j versions 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) to address this vulnerability. For further details about the vulnerability, please refer to Apache’s security advisory page.

Tenable plugin ID 156327 has been released for this vulnerability and will be available shortly. For a list of plugins covering CVE-2021-44832, you can use this link which will be updated as plugins are released.