Time to Patch Log4j Again; Apache Releases 2.17 Fixing DoS
Third Patch Issued Fixes Denial of Service FlawApache has released Log4j version 2.17 to fix yet another high-severity denial-of-service vulnerability - tracked as CVE-2021-45105 with a CVSS score of 7.5 - that affects all versions from 2.0-beta9 to 2.16.0.
See Also: The DevSecGuide to Kubernetes
The latest version introduced by the nonprofit Apache Software Foundation addresses a denial-of-service flaw introduced in 2.16 and all other versions.
Previously, Apache had released Log4j version 2.16 to fix another issue designated as CVE-2021-45046 that could result in a remote code execution flaw, which stemmed from an "incomplete" fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.
Uncontrolled Recursion
"Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups," according to Apache Software Foundation. "When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process."
The foundation has credited Hideki Okamoto of Akamai Technologies and another anonymous vulnerability researcher with reporting the flaw.
The latest patch comes after the U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive on Friday regarding the explosive Apache Log4j vulnerabilities. The directive requires federal civilian departments and agencies to immediately patch their systems or implement appropriate mitigation measures.
CISA previously gave agencies until Friday to patch against Log4j exploits via its Known Exploited Vulnerabilities Catalog.
Maintained by the nonprofit Apache Software Foundation, Log4j provides logging capabilities for Java applications and is widely used, including for Apache web server software.