Coverage for CVE-2021-44832

I noticed that Apache updated their Log4j documentation on their site. Looks like a Moderate vuln found all versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4, and they have issued out a new patch for Java 6, 7 and 8. Will we have coverage for CVE-2021-44832 soon?

We do have plans to release coverage for CVE-2021-44832. It’s a little lower priority than CVE-2021-44228 related updates because it’s not very likely to be exploited, since it’s only for a non-default configuration that requires the attacker to have control over the Log4j config file. But it’s on our radar and we do plan to add coverage for it.

Thanks for the update, @holly_wilsey. I checked this morning, and noticed they are now in there. :+1:

I noticed that with 2021-44832 and 2021-45105, the severity doesn’t match Apache’s rank of severity. Why is that? For instance, 45105 and 44832 shows “Moderate”, yet in InsightVM it shows that 45105 is “Critical” and 44832 is “Severe”. I have been confusing our data center admins and contractors when expressing the severity of each.

1 Like

I double checked with the team on this one, and since InsightVM has its own severity scale (which uses CVSSv2 but doesn’t 100% align with it), it’s resulting in the discrepancy you mentioned between VM and Apache’s severities. We’ve seen this with some other vulnerabilities too, and though it can be kind of confusing between vendors, hopefully it makes more sense now.