Do I need to upgrade to Log4j 2.17.1?
Apache Team has released a new upgrade of Log4j library 2.17.1 in response to the CVE-2021-44832. Though on CVSS scale it’s rated as 6.6 out of 10 but the vulnerability can’t be exploit until an attacker gets into the machine. This is more of arbitrary code execution rather than remote code execution and severity much lesser than Log4shell vulnerability. There is no need to panic if you have already upgraded to 2.17.1 version of Log4j..
In short, if the attacker has access to configuration then the configuration can be modified to construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code from the attacker’s server.
Versions affected: Almost all Log4j versions
Solution: Upgrade to Log4j 2.17.1