Following the first exposure of remote code execution vulnerabilities in Apache Log4j2 earlier this month, multiple vulnerabilities have been exposed one after another and have had an impact on a global scale.
Recently, another serious remote code execution vulnerability was exposed in the Apache Log4j log library, tracked as CVE-2021-44832. This vulnerability was independently discovered by Hideki Okamoto, Lederfein, and another anonymous vulnerability researcher.
CVE-2021-44832 is the third RCE and fourth vulnerability in the Log4j library, in addition to CVE-2021-44228 (RCE), CVE-2021-45046 (RCE) and CVE-2021-45105 (DoS attack) .
According to reports, CVE-2021-44832 shows that Apache Log4j2 versions 2.0-beta7 to 2.17.0 (excluding security fix versions 2.3.2 and 2.12.4) are vulnerable to remote code execution (RCE) attacks, which have permission to modify the log The attacker of the configuration file can construct a malicious configuration to use the JDBC Appender with a data source that references a JNDI URI, which can execute remote code. This issue has been resolved by restricting the JNDI data source name to the Java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
It is worth noting that Log4j 1.x is not affected by this vulnerability. Affected users can upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7) or 2.17.1 (for Java 8 and later) to mitigate the impact of this vulnerability .
According to official tips, only log4j-core JAR files are affected by this vulnerability. Applications that only use log4j-api JAR files and do not use log4j-core JAR files are not affected by this vulnerability.
Please also note that Apache Log4j is the only log service subproject affected by this vulnerability. Other projects such as Log4net and Log4cxx are not affected by this.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。