New log4j 2.17.0 CVE that can lead to RCE

[SonamorN]

Hi All,

Yesterday a new CVE emerged, that describes various versions of log4j, including 2.17.0, is vulnerable to a new CVE that can lead to RCE. Info below:

https://nvd.nist.gov/vuln/detail/CVE-2021-44832#VulnChangeHistorySection

Description

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

How will the project categorize 2.17.0 version from now on?

I believe in the past with a similar issue you went down the path, to flag that new version as a vulnerable, but correct me if wrong. Sorry can't remember specifics here.

So will the project follow the same path here as well?

[juliusmusseau]

v2021.12.29 of log4j-detector released which addresses this:

false-hits/log4j-core-2.12.2.jar contains Log4J-2.x   == 2.12.2 _OKAY_
false-hits/log4j-core-2.12.3.jar contains Log4J-2.x   == 2.12.3 _OKAY_
false-hits/log4j-core-2.12.4.jar contains Log4J-2.x   == 2.12.4 _SAFE_
false-hits/log4j-core-2.15.0.jar contains Log4J-2.x   == 2.15.0 _OKAY_
false-hits/log4j-core-2.16.0.jar contains Log4J-2.x   == 2.16.0 _OKAY_
false-hits/log4j-core-2.17.0.jar contains Log4J-2.x   == 2.17.0 _OKAY_
false-hits/log4j-core-2.17.1.jar contains Log4J-2.x   >= 2.17.1 _SAFE_
false-hits/log4j-core-2.3.1.jar contains Log4J-2.x   == 2.3.1 _OKAY_
false-hits/log4j-core-2.3.2.jar contains Log4J-2.x   == 2.3.2 _SAFE_