snyk.io
Open in
urlscan Pro
2a02:26f0:6a:481::ecd
Public Scan
URL:
https://snyk.io/blog/new-log4j-2-17-1-fixes-cve-2021-44832-remote-code-execution-but-its-not-as-bad-as-it-sounds/
Submission: On December 29 via api from US — Scanned from DE
Submission: On December 29 via api from US — Scanned from DE
Form analysis 6 forms found in the DOM
<form id="mktoForm_1461" style="display: none; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1px;" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"><input
type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Submit</button></span></div>
</form><form id="mktoForm_1461" style="display: none; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1px;" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1461"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="677-THP-415">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Submit</button></span></div>
</form><form style="display: none; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" novalidate="novalidate"
class="mktoForm mktoHasWidth mktoLayoutLeft"></form><form style="display: none; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" novalidate="novalidate"
class="mktoForm mktoHasWidth mktoLayoutLeft"></form><form style="display: none; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1600px; visibility: hidden; position: absolute; top: -500px; left: -1000px;" novalidate="novalidate"
class="mktoForm mktoHasWidth mktoLayoutLeft"></form><form style="display: none; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1600px; visibility: hidden; position: absolute; top: -500px; left: -1000px;" novalidate="novalidate"
class="mktoForm mktoHasWidth mktoLayoutLeft"></form>Text Content
Submit
Submit
We use cookies to ensure you get the best experience on our website.
Got it Read more
* Product
* Products
* Snyk Open Source
Find and automatically fix open source vulnerabilities
* Snyk Code
Find and fix vulnerabilities in your application code in real time
* Snyk Container
Find and fix vulnerabilities in container images and Kubernetes
applications
* Snyk Infrastructure as Code
Find and fix misconfigurations in Terraform, CloudFormation, Kubernetes,
and ARM templates
* Platform
* Developer Security Platform
Secure all the components of the modern cloud native application in a
single platform
* Security Intelligence
Access our comprehensive vulnerability data to help your own security
systems
* License Compliance Management
Manage open source license usage in your projects
* What is Snyk?
See Snyk’s developer-first security platform in action
* Pricing
* Docs
* Docs
* Getting Started
* Product Updates
* CLI
* API
* Support
* KnowledgeBase
* Raise a Request
* View Requests
* Onboarding
* Prepare for rollout
* Group setup
* Organization setup
* Developer usage
* Learn
* DevSecOps Hub
* Snyk Learn
* Developer and Security Resources
* Snyk Vulnerability DB
* Blog
* Community
* Events
* Company
* Customers
* About Snyk
* Snyk Impact
* Partners
* Newsroom
* Jobs at Snyk We are hiring
* Contact us
Log in BOOK A DEMO SIGN UP
* Product
* Products
* Snyk Open Source
Find and automatically fix open source vulnerabilities
* Snyk Code
Find and fix vulnerabilities in your application code in real time
* Snyk Container
Find and fix vulnerabilities in container images and Kubernetes
applications
* Snyk Infrastructure as Code
Find and fix misconfigurations in Terraform, CloudFormation, Kubernetes,
and ARM templates
* Platform
* Developer Security Platform
Secure all the components of the modern cloud native application in a
single platform
* Security Intelligence
Access our comprehensive vulnerability data to help your own security
systems
* License Compliance Management
Manage open source license usage in your projects
* What is Snyk?
See Snyk’s developer-first security platform in action
* Pricing
* Docs
* Docs
* Getting Started
* Product Updates
* CLI
* API
* Support
* KnowledgeBase
* Raise a Request
* View Requests
* Onboarding
* Prepare for rollout
* Group setup
* Organization setup
* Developer usage
* Learn
* DevSecOps Hub
* Snyk Learn
* Developer and Security Resources
* Snyk Vulnerability DB
* Blog
* Community
* Events
* Company
* Customers
* About Snyk
* Snyk Impact
* Partners
* Newsroom
* Jobs at Snyk We are hiring
* Contact us
Log in BOOK A DEMO SIGN UP
All articles
* Application Security
* Cloud Native Security
* DevSecOps
* Engineering
* Partners
* Snyk Team
* Show more
* Vulnerabilities
* Product
* Ecosystems
Application Security
NEW LOG4J 2.17.1 FIXES CVE-2021-44832 REMOTE CODE EXECUTION (BUT IT’S NOT AS BAD
AS IT SOUNDS)
Liran Tal, Benji Catabi-Kalman December 28, 2021
As previously predicted to unfold, at approximately 7:35 PM GMT, 28th of
December 2021, another security vulnerability impacting the Log4j logging
library was published as CVE-2021-44832.
This new CVE-2021-44832 security vulnerability is affecting versions up to
2.17.0, which was previously thought to be fixed. This vulnerability is similar
in nature to CVE-2021-4104 which affected the 1.x branch of Log4j.
THE IMPACT OF CVE-2021-44832
If you are able to swiftly upgrade to the latest fixed version of Log4j then you
should follow that path. That said, we’d like to point out that this specific
CVE-2021-44832 vulnerability has been assigned a medium 6.6 CVSS score and
requires considerably elevated pre-conditions for an attacker to exploit
successfully.
CVE-2021-44832 deems Log4j 2.17.0 (and older versions) to be vulnerable to code
execution if an attacker is able to control, and modify, the contents of the
logging configuration file to then point to a remote URI data source to load
arbitrary Java code.
The fix in 2.17.1, and backported to older JVM-compatible versions of the
library, mitigated that vulnerability by restricting the JNDI data source in the
configuration file to only allow the use of the Java protocol, and disallow any
remote network calls to be made.
IMMEDIATE STEPS YOU SHOULD TAKE TO FIX CVE-2021-44832
The Log4j team published fixes for this security vulnerability:
* If you’re on Java 8 and later you should upgrade to Log4j 2.17.1
* If you’re on the 2.12.x branch for Java 7, upgrade to Log4j 2.12.4
* If you’re on the 2.3.x branch for Java 6, upgrade to Log4j 2.3.2
A STORM OF PREMATURELY LEAKED LOG4J VULNERABILITIES
The disclosure of this vulnerability, has followed an increasingly worrying
trend in irresponsible disclosures in Log4j, where security researchers have
leaked details of the vulnerabilities they have disclosed before maintainers
have had time to properly fix the issue and publish new releases.
This problematic phenomenon started with the original Log4j RCE wherein
researchers leaked details and even a proof of concept of the vulnerability on
Twitter and GitHub, hours before the official disclosure (see our timeline). Yet
again, the existence of this vulnerability was leaked on Twitter several hours
before the official release, by a security researcher claiming credit for the
finding.
It would appear that in both cases, the leaking of information, while probably
without malicious intent, has led to a rushed release on behalf of Apache (which
could leave the door open for additional vulnerabilities and bugs in the new
release). Additionally, in this specific instance we can assume that given a
choice, Apache would have not chosen to rush out a release at a time of year
where many organizations have extended holidays and would therefore be less able
to quickly triage and remediate the issue if needed.
Open source security is increasingly important to the world at large and
responsible disclosure practice is a cornerstone of our community’s ongoing
security. We hope that any future disclosures in Log4j or other open source
packages can be more safely handled going forward.
As always, we at Snyk, remain committed to our responsible disclosure program,
while also staying vigilant to any potential emerging threats and providing
quick and actionable information to our users and the open source community at
large.
LOG4SHELL RESOURCE CENTER
We’ve created an extensive library of Log4Shell resources to help you
understand, find and fix this Log4j vulnerability.
Browse Resources
Develop Fast.
Stay Secure.
Sign up for free Book a demo
PRODUCT
* Developers & DevOps
* Vulnerability Database
* Pricing
* Test with GitHub
* API Status
* IDE Plugins
* What is Snyk?
RESOURCES
* Snyk Learn
* Vulnerability DB
* Blog
* Security Fundamentals
* Documentation
* Snyk API
* Disclosed Vulnerabilities
* Open Source Advisor
* FAQs
* Website Scanner
* Audit Services
COMPANY
* About Us
* Snyk Impact
* Customers
* Jobs at Snyk
* Snyk for Government
* Legal Terms
* Privacy
* Press Kit
* Events
* Secure by Design
* Do Not Sell My Personal Information
CONNECT
* Book a Demo
* Contact Us
* Support
* Report a New Vuln
SECURITY
* JavaScript Security
* Container Security
* Kubernetes Security
* Open Source Security
* Application Security
* Secure SDLC
* Cloud Native Security
* Cloud security
* Secure coding
* npm packages
Snyk is a developer security platform. Integrating directly into development
tools, workflows, and automation pipelines, Snyk makes it easy for teams to
find, prioritize, and fix security vulnerabilities in code, dependencies,
containers, and infrastructure as code. Supported by industry-leading
application and security intelligence, Snyk puts security expertise in any
developer's toolkit.
RESOURCES
* Snyk Learn
* Vulnerability DB
* Blog
* Security Fundamentals
* Documentation
* Snyk API
* Disclosed Vulnerabilities
* Open Source Advisor
* FAQs
* Website Scanner
* Audit Services
TRACK OUR DEVELOPMENT
*
*
*
*
*
*
© 2021 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading,
Berkshire, RG7 1NT.
Submit
Submit
Read Next
Log4j vulnerability resources: find and fix Log4Shell
Learn more
Curious about Snyk?
See how you and your team can build secure software.
Read Next