Hosting Daily News
Hosting Daily News
  • Home
  • Cyber Security
  • Web Stories
 Apache Released Third Log4j Patch To Fix High Severity Denial Of Service Vulnerability
Cyber Security

Apache Released Third Log4j Patch To Fix High Severity Denial Of Service Vulnerability

by host-admin December 21, 2021 0 Comment

In response to the issues with Log4j that continue to stack up, the Apache Software Foundation (ASF) issues the third patch Version 2.17.0 on late Friday, December 18. 

Third Log4j Update Rolled Out As Version 2.17.0

Earlier this week, Apache released version 2.16.0 to fix the Log4j vulnerability. But eventually, it discovered issues which it confirmed saying that version 2.16 “does not always protect from infinite recursion in lookup evaluation” and explained that it is vulnerable to CVE-2021-45105, a denial of service vulnerability. They also confirmed that the severity of the vulnerability is “high” with a CVSS score of 7.5.

The Log4j vulnerabilities page on the Apache website explains the high-severity bug as:  

“When the logging configuration utilizes a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process”. 

The Apache Foundation further said that the issue can be reduced by ensuring that the Context Lookups like ${ctx:loginId}or $${ctx:loginId} in PatternLayout in the logging configuration are replaced with Thread Context Map patterns (%X, %mdc, or %MDC).

Alternatively, admins can remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} in the configuration. These references originate from sources external to the application such as HTTP headers or user input.

The Log4Shell Vulnerability

The new Log4Shell (CVE-2021-45105) vulnerability affects all versions of the tool from 2.0-beta 9 to 2.16.0. To remediate this severe flaw, Apache released version 2.16  on Tuesday, which ultimately failed to offer the necessary protection. Instead, it further risked the system’s security by triggering a denial-of-service (DoS) vulnerability. 

And hence, Apache released the latest version 2.17.0. Hideki Okamoto of Akamai Technologies and an unknown security researcher are given the credit for the discovery of the bug.

Admins are advised to update version 2.17.0 of Apache log4j 2 to secure their systems from vulnerability or take necessary actions to mitigate the risks. 


If you enjoyed this post, you will undoubtedly enjoy this one as well –

  • AWS Prolonged Outage Brings Internet At A Standstill
  • GoDaddy Data Leak Hints Users Trust Is At Stake
  • Rubrik Announces Azure-based New Data & Security Ransomware
Tags: Log4j Update Rolled Log4Shell Vulnerability
Previous post
Next post

host-admin (Website)

administrator

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • The New Version of cPanel’s Web Hosting Control Panel Has Now Been Released
  • IPG Acquires Premier Salesforce Solution Provider RafterOne
  • Microsoft Claims Two New Exchange Zero-Day Vulnerabilities Are Being Actively Targeted, But There Is No Fast Solution
  • Coresite Expands Its Presence By Acquiring A New Data Center In Miami
  • cPanel Has Announced A License Fee Increase That Will Come Into Effect In December 2022

Recent Comments

No comments to show.

Archives

  • October 2022
  • September 2022
  • August 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021

Categories

  • Cloud Hosting
  • cPanel Hosting
  • Cyber Security
  • Data Center
  • Press Release
  • world
Copyright © 2023 HostingDailyNews. All Right Reserved.