The Fifth Log4j Vulnerability Has Been Fixed by Apache

Another Log4j version has been released by Apache dubbed 2.17.1, as prior to yesterday the most recent Log4j version was 2.17.0. This new variant addresses the RCE found in 2.17.0 under the CVE-2021-44832.

Five CVEs Have Been Linked to Log4j in Less than a Month

The original Log4j vulnerability has been assigned the CVE-2021-44228. As a Proof of Concept (POC) exploit emerged on GitHub for it around December 9, hackers started to massively exploit it, impacting enterprises and governments worldwide, as most Java applications use Log4j.

However, other Log4j vulnerabilities started to appear in versions like 2.15 and 2.16.

According to BleepingComputer, log4j was impacted and linked to four different CVEs, one of them being found in the ‘logback’ framework. Then, a DoS bug was identified in version 2.16, so naturally, at that time the upgrade to 2.17.0 was the safest solution.

However, what followed next was that a new remote execution vulnerability was discovered in this version too and was classified as mentioned above: CVE-2021-44832. The newest release 2.17.1 is out now and comes with a patch for it.

The credit for reporting the vulnerability in the 2.17.0 version to Apache was claimed by the white hacker security researcher

Read More: https://heimdalsecurity.com/blog/the-fifth-log4j-vulnerability-has-been-fixed-by-apache/