Corrective releases of the Log4j library 2.17.1, 2.3.2-rc1 and 2.12.4-rc1 have been published, fixing another vulnerability (CVE-2021-44832). It is mentioned that the problem allows organizing remote code execution (RCE), but at the same time it is marked as harmless (CVSS Score 6.6) and is mainly of theoretical interest, since it requires specific conditions for exploitation - the attacker should be able to make changes to the settings file log4j i.e. must have access to the system under attack and the authority to change the value of the log4j2.configurationFile configuration parameter or make changes to existing logging configuration files.
The attack boils down to defining a JDBC Appender-based configuration on the local system that refers to an external JNDI URI, upon request, a Java class can be returned for execution. By default, the JDBC Appender is not configured to handle non-Java protocols, i.e. without changing the configuration, the attack is impossible. Also, the issue only affects the log4j-core JAR and does not affect applications that use the log4j-api JAR without log4j-core. β¦
Source: opennet.ru