Whether Log4j should be upgraded 2.17.0?
As we all know the Log4j Vulnerability was a critical CVSS score of 10 Vulnerability that was discovered on Dec 9th, 2021. This was due to incorrect logging when a JNDI string is passed in the payload. There was couple of quick fixes from Apache Log4j volunteers which did fix the main CVE but lead to other issues which were fixed in other version of Log4j (The latest as of now is 2.17.0) Let us see whether it’s necessary to upgrade to Log4j 2.17.0 or just Log4j 2.15.0 would be sufficient enough for many applications
Log4j 2.15.0 : This addressed the critical Vulnerability CVE-2021-44228 by disabling the JNDI lookups and returning a constant string for JNDI lookups along with message lookup feature being removed
Log4j 2.16.0: The fix in 2.15.0 was incomplete because in certain non default configurations, input data can be malicious input data causing Remote Code Execution (And the previous mitigation steps provided in 2.15.0 didn’t not mitigate this specific vulnerability)
Log4j 2.17.0: The fix in 2.16.0 didn’t protect from self referential lookups, When logging configuration uses a non-default Pattern layout attackers can still send malicious data so in the latest version this is fixed by removing references to Context Lookups
So now it’s very safe to upgrade to Log4j 2.17.0 but even if your application uses 2.15.0 it’s still safe from any exploit attempts (unless you didn’t use default configuration)