Published Corrective releases of the library Log4J 2.17.1 , 2.3.2-RC1 and 2.12.4-RC1, which eliminated one more ( CVE- 2021-44832 ). The problem allows you to organize a remote code execution, but marked as non-hazard (CVSS SCORE 6.6) and basically represents only theoretical interest, since it requires specific conditions for operation – the attacker must be able to make a change to a file with the log4j settings, i.e. Must have access to the attacked system and the authority to change the configuration parameters (log4j2.configurationfile) or make changes to existing files with settings for logging.
/Media reports.