If you caught Groundhog Day over the holiday period, you may know where this blog is going. Yes, we have another log4j vulnerability! Similar to the one announced on 18th December, this variant is certainly not as high risk as the initial issues and has a lower severity rating of “medium” (6.6, click on the link for more information on the Common Vulnerability Score System or CVSS). It has been described as enabling “an attacker with permission to modify the logging configuration file [to] construct a malicious configuration.” As such, it can only be exploited if the bad actor has already gained access, which in itself is a much bigger issue.
Regardless, we have a new CVE-ID, CVE-2021-44832, and Apache has released a new fix in the form of 2.17.1 (release notes here).
Options have updated our Firewall IPS signatures, vulnerability scanners, and AI bots accordingly. We are applying v2.17.1 to any system that we patched to v2.17.0 and using v2.17.1 going forward or applying vendor patches/mitigation steps as they are released.
To summarise, version 2.17.1 will now address each of these vulnerabilities:
CVE | CVSS v3.1 Score (out of 10) | NVD Published Date |
CVE-2021-44832 | 6.6 | 28/12/2021 |
CVE-2021-45105 | 5.9 | 18/12/2021 |
CVE-2021-45046 | 9.0 | 14/12/2021 |
CVE-2021-44228 | 10.0 | 10/12/2021 |
To learn more about Options Managed Security offering, click here.
- Options InfoSec Committee.