Time to Patch Log4j Again; Apache Releases 2.17 Fixing DoS

Third Patch Issued Fixes Denial of Service Flaw
Time to Patch Log4j Again; Apache Releases 2.17 Fixing DoS
The Log4j 2 vulnerability is sometimes being referred to as Log4shell as in this tongue-in-cheek logo drawn by security researcher Kevin Beaumont.

Apache has released Log4j version 2.17 to fix yet another high-severity denial-of-service vulnerability - tracked as CVE-2021-45105 with a CVSS score of 7.5 - that affects all versions from 2.0-beta9 to 2.16.0.

See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity

The latest version introduced by the nonprofit Apache Software Foundation addresses a denial-of-service flaw introduced in 2.16 and all other versions.

Previously, Apache had released Log4j version 2.16 to fix another issue designated as CVE-2021-45046 that could result in a remote code execution flaw, which stemmed from an "incomplete" fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.

Uncontrolled Recursion

"Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups," according to Apache Software Foundation. "When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process."

The foundation has credited Hideki Okamoto of Akamai Technologies and another anonymous vulnerability researcher with reporting the flaw.

The latest patch comes after the U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive on Friday regarding the explosive Apache Log4j vulnerabilities. The directive requires federal civilian departments and agencies to immediately patch their systems or implement appropriate mitigation measures.

CISA previously gave agencies until Friday to patch against Log4j exploits via its Known Exploited Vulnerabilities Catalog.

Maintained by the nonprofit Apache Software Foundation, Log4j provides logging capabilities for Java applications and is widely used, including for Apache web server software.


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent, ISMG

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.