Log4j 2.17.1

Industry: N/A | Level: Strategic | Source: MITRE

A recent update for Log4j 2.17.1, addresses CVE-2021-44832, a remote command execution flaw assessed with a score of 6.6. The exploit requires the attacker to be able to modify the Log4j config file as CVE description, "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."