• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2021-44832- A Remote Code Execution Vulnerability In Apache Log4j Library
How to Fix CVE-2021-44832- A Remote Code Execution Vulnerability in Apache Log4j Library

Researchers disclosed a new vulnerability in the Log4j library. ASF confirmed that the vulnerability tracked as CVE-2021-44832 is a remote code execution vulnerability, which is rated 6.6 in severity out of 10. You don’t leave with an option to ignore this one again. Keeping the significance of the Log4j in mind, it is highly recommended to fix CVE-2021-44832, a remote code execution vulnerability in the Apache Log4j library. Let’s see how to fix CVE-2021-44832- A Remote Code Execution Vulnerability in Apache Log4j Library.

Summary Of CVE-2021-44832:

The first thing is to know that this vulnerability is different from other JNDI lookup vulnerabilities. This RCE vulnerability could allow attackers to modify the logging configuration file to execute code via a data source referencing a JNDI URI.

Associated CVE IDCVE-2021-44832
DescriptionRemote Code Execution vulnerability in Log4j Logging Library
Associated ZDI IDNA
CVSS Score6.6 Moderate
VectorCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Impact ScoreNA
Exploitability ScoreNA
Attack Vector (AV)Network
Attack Complexity (AC)High
Privilege Required (PR)High
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High
Exploit Code Maturity (E)Proof-of-Concept (P)
Remediation Level (RL)Official Fix (O)
Report Confidence (RC)Confirmed (C)

Log4j Versions Affected To CVE-2021-44832:

This vulnerability affects all Log4j versions starting from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4. When it comes to version 1.x, the vendor said it is not tested considering out of support. Apache foundation has recommended upgrading to Log4j 2.3.2 for those who use Java 6, Log4j 2.12.4 for those who use Java 7, or Log4j 2.17.1 for the users who use Java 8 and above.

How To Fix CVE-2021-44832 A Remote Code Execution Vulnerability In Log4j?

According to Apache Foundation, “Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.”

Apache Foundation

Apache foundation has recommended upgrading to Log4j 2.3.2 for those who use Java 6, Log4j 2.12.4 for those who use Java 7, or Log4j 2.17.1 for the users who use Java 8 and above.
Make a note of your Java version to upgrade the Log4j library.

Java 8 and aboveLog4j 2.17.1
Java 7Log4j 2.12.4
java 6Log4j 2.3.2

Other mitigation guidelines to address the Remote Code Execution Vulnerability (CVE-2021-44832 ) is: Configure your JDBC Appender not to use any protocol other than Java.
Important points to be noted:

  1. Make sure prior releases don’t use JDBC Appender.
  2. Configure your JDBC Appender not to use any protocol other than Java.
  3. Applications that use log4j-core JAR file is vulnerable to this flaw.
  4. Applications using only the log4j-api JAR file without the log4j-core JAR file are no need to worry. Such applications are not affected by this vulnerability.
  5. Apache Log4j is the only Logging Services affected by this (CVE-2021-44832) vulnerability.
  6. Other subprojects such as Log4net and Log4cxx are not affected by this vulnerability.
  7. Please read the release notes of Log4j 2.17.1 here.

Other Log4j Vulnerabilities In 2021:

  1. A Critical 0-day Unauthenticated Remote Code Execution vulnerability in Log4j Logging Library (CVE-2021-44228) allows attackers to carry out unauthenticated, remote code execution attacks.
  2. A new vulnerability (CVE-2021-45046) Log4j library allows attackers to perform denial of service (DOS) attacks by crafting malicious input data using a JNDI Lookup pattern.
  3. CVE-2021-45105 was discovered as the third vulnerability within the month that allows attackers to perform Denial of Service due to infinite recursion in lookup evaluation.
  4. Now the latest discloser is that the Log4j is affected by CVE-2021-44832- A Remote Code Execution Vulnerability which is fixed in v2.17.1.
vulnerabilityCVSSDescriptionFixed In
CVE-2021-4422810.0 CriticalUnauthenticated Remote Code Execution vulnerability in Log4j Logging Library2.15.0
CVE-2021-450463.7 LowDenial of Service vulnerability in Log4j Logging Library2.16.0
CVE-2021-451057.5 HighDenial of Service vulnerability in Log4j Logging Library due to infinite recursion in lookup evaluation2.17.0
CVE-2021-448326.6 MediumRCE vulnerability could allow attackers to modify the logging configuration file to execute code via a data source referencing a JNDI URI.2.17.1

We hope this post will help you know How to Fix CVE-2021-44832- A Remote Code Execution Vulnerability in Apache Log4j Library. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.