Apache Released Third Log4j Patch To Fix High Severity Denial Of Service Vulnerability
In response to the issues with Log4j that continue to stack up, the Apache Software Foundation (ASF) issues the third patch Version 2.17.0 on late Friday, December 18.
Third Log4j Update Rolled Out As Version 2.17.0
Earlier this week, Apache released version 2.16.0 to fix the Log4j vulnerability. But eventually, it discovered issues which it confirmed saying that version 2.16 “does not always protect from infinite recursion in lookup evaluation” and explained that it is vulnerable to CVE-2021-45105, a denial of service vulnerability. They also confirmed that the severity of the vulnerability is “high” with a CVSS score of 7.5.
The Log4j vulnerabilities page on the Apache website explains the high-severity bug as:
“When the logging configuration utilizes a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process”.
The Apache Foundation further said that the issue can be reduced by ensuring that the Context Lookups like ${ctx:loginId}or $${ctx:loginId} in PatternLayout in the logging configuration are replaced with Thread Context Map patterns (%X, %mdc, or %MDC).
Alternatively, admins can remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} in the configuration. These references originate from sources external to the application such as HTTP headers or user input.
The Log4Shell Vulnerability
The new Log4Shell (CVE-2021-45105) vulnerability affects all versions of the tool from 2.0-beta 9 to 2.16.0. To remediate this severe flaw, Apache released version 2.16 on Tuesday, which ultimately failed to offer the necessary protection. Instead, it further risked the system’s security by triggering a denial-of-service (DoS) vulnerability.
And hence, Apache released the latest version 2.17.0. Hideki Okamoto of Akamai Technologies and an unknown security researcher are given the credit for the discovery of the bug.
Admins are advised to update version 2.17.0 of Apache log4j 2 to secure their systems from vulnerability or take necessary actions to mitigate the risks.
If you enjoyed this post, you will undoubtedly enjoy this one as well –
