Another vulnerability was discovered in Log4j. Accordingly, the Apache Foundation released a patch. Version Log4j 2.17.1 fixes a newfound method for remote code execution.
The vulnerability was found in version 2.17.0 and named CVE-2021-44832. Authorization to modify the configuration file allows hackers to set up a platform for remote code execution.
The vulnerability affects most versions, including recent ones. The only versions unaffected are 2.3.2 and 2.12.4.
Researchers uncovered the vulnerability using standard static code analysis tools and manual investigation. Critics note the questionable timing of its announcement, which comes in the middle of the holiday period.
Furthermore, the vulnerability is not as malicious as it may seem: a non-default configuration is required for exploitation. Yet, patching is advised. The patch addresses the vulnerability by restricting JDNI data source names to the Java protocol.