Security News > 2021 > December > Log4j 2.17.1 out now, fixes new remote code execution bug
Apache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution vulnerability in 2.17.0, tracked as CVE-2021-44832.
Prior to today, 2.17.0 was the most recent version of Log4j and deemed the safest release to upgrade to, but that advice has now evolved.
While the critical risk posed by the original Log4Shell exploit is paramount, milder variants of the vulnerability emerged in Log4j versions, including 2.15 and 2.16-previously believed to be fully patched.
At the time of Nizry's tweet, BleepingComputer did not see an official advisory or memo indicating the presence of an RCE bug in log4j 2.17.
Looks like log4j CVE-2021-44832 has non default preconditions: "You are loading configuration from a remote server and/or someone can hijack/modify your log4j configuration fileYou are using the JDBC log appender with a dynamic URL address."
Up until now, log4j vulnerabilities have been exploited by all kinds of threat actors from state-backed hackers to ransomware gangs and others to inject Monero miners on vulnerable systems.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-28 | CVE-2021-44832 | Improper Input Validation vulnerability in multiple products Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. | 6.6 |