Apache reveals another bug in Log4J • The Register

The Apache Software Foundation (ASF) has revealed a third bug in its open source Log4 Java Log4j logging library.

CVE-2021-45105 is an infinite recursion bug noted 7.5 / 10 that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The patch is version 2.17.0 of Log4j.

This is the third new version of the tool in the last ten days.

In case you haven’t been paying attention, version 2.15.0 was created to fix CVE-2021-44228, the critical and trivial exploitable remote code execution flaw found in many versions up to 2.14 .0.

But version 2.15.0 did not resolve another issue – CVE-2021-45046 – that allowed a remote attacker controlling the Thread Context Map (MDC) to prepare a malicious entry using a search pattern. JNDI. The result could be remote code execution, luckily not in all environments.

Version 2.16.0 fixed this problem.

But that didn’t fix CVE-2021-45105, which the ASF describes as follows:

The vendor-independent bug bounty program, Zero Day Initiative, described the flaw as follows.

What to do?

Now you know the drill: download the latest version 2.17.0 of Log4J, here, and install it wherever Log4j runs, which of course turns out to be everywhere (including some hard to find places).

The ASF also described the following mitigation measures:

  • In PatternLayout in logging setup, override context lookups like ${ctx:loginId}or $${ctx:loginId} with thread context map templates (%X, %mdc, or %MDC) .
  • Otherwise, in the configuration, remove references to context searches like ${ctx:loginId} Where $${ctx:loginId} where they come from sources external to the application such as HTTP headers or user input.

Once you’re done, keep your fingers crossed and hope the ASF has found any loopholes that need immediate fixes so we can all stop worrying about this software this Christmas. ®

About Geraldine Higgins

Check Also

You can now request the deletion of your address, telephone number

Google has just started accepting requests to remove personal information such as phone numbers and …