[CRITICAL] Log4j 2.17.1 Fix Available from Apache

December 29, 2021 11:19 am

Apache has now released another patch for log4j. Version 2.17.1, tracked as CVE-2021-44832, fixes a newly discovered remote code execution (RCE) vulnerability. This is the fifth (5) fix to 'log4j' this month and continues to be monitored closely in our environment. Please review your applications for log4j usage, and if vulnerable, please plan for immediate patching.
 
Log4j users should immediately upgrade to the latest release 2.17.1 (for Java 8). Backported versions 2.12.4 (Java 7) and 2.3.2 (Java 6) containing the fix are also expected to be released shortly.
 
References:
Log4j Updates https://logging.apache.org/log4j/2.x/download.html 
CISA Apache Log4j Vulnerability Guidance https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance 
Previous MGB Log4j Article https://rc.partners.org/news-events/alerts/critical-apache-log4j2-patching-updated-121521