The Log4j Timeline of Events (Plus a New Vulnerability)

Today, Apache Log4j disclosed yet another vulnerability. This time, it’s CVE-2021-44832, a vulnerability in Apache Log4j versions through 2.17.0 that allows an attacker with permissions to modify the logging configuration file to execute code arbitrarily. Apache Log4j version 2.17.1 was released today to address the issue.  

While certainly not ideal, this vulnerability is not as severe as the previous well-documented vulnerabilities leading up to the holidays. Apache scores it as a moderate severity at a 6.6/10 CVSS. In order to actually exploit this, an attacker would have to be able to modify the logging configuration file, a privilege that would likely indicate compromise elsewhere.

How Did We Get Here? The Log4j Saga

It’s certainly been a whirlwind for security teams. Let’s recap the timeline of the past few weeks of Log4j vulnerabilities.

November 24 - Security researcher Chen Zhaojun discovers the now infamous CVE-2021-44228, or “Log4Shell,” vulnerability that allows unauthenticated attackers to execute remote code on vulnerable systems, scoring a CVSS of 10 out of a possible 10.

Log4j versions 2.0-beta9 up to 2.14.1 are affected.

December 6 - Apache Log4j releases version 2.15.0 to remediate the vulnerability. Shortly after, CVE-2021-45046 was discovered (a flaw that eventually netted a CVSS of 9.0/10) after further research led to the discovery that this vulnerability allowed for remote code execution by an attacker.

Log4j versions 2.0-beta9 to 2.15.0 were affected, excluding 2.12.2.

December 13 - Version 2.16.0 of Apache Log4j is released to remediate. Yet another vulnerability is discovered CVE-2021-45105, a CVSS 5.9/10 denial of service vulnerability due to infinite recursion in lookup evaluation.

Log4j versions 2.0-beta9 to 2.16.0 were affected, excluding 2.12.3.

December 18 - The Log4j team releases version 2.17.0 to fix the denial of service vulnerability.

December 28 - Yet another patch is released, version 2.17.1, this time to remediate CVE-2021-44832, a CVSS 6.6/10 that allows code execution by attackers with permissions to modify the logging configuration file.  

Log4j versions from 2.0-alpha7 to 2.17.0 were affected, excluding 2.3.2 and 2.12.4.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.