The CVE-2021-45105 flaw was fixed with the release of log4j version 2.17.0
The issues with Log4j continues as the Apache Software Foundation (ASF) rolled out the third patch — version 2.17.0 — for the widely used logging library that could be exploited by threat actors to stage a denial-of-service (DoS) attack.
The first vulnerability, tracked as CVE-2021-44228 (aka Log4Shell) which is a critical remote code execution zero-day vulnerability made the headlines last week, after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit of it. The flaw affects the Apache Log4j Java-based logging library.
Due to this issue thousands of organizations worldwide are potentially exposed to attacks and security experts have already reported exploitation attempts in the wild.
Immediately after the disclosure of the exploit, Microsoft researchers reported that Nation-state actors from China, Iran, North Korea, and Turkey are now abusing the Log4Shell in the Log4J library in their campaigns.
The Apache Software Foundation (ASF) released a patch (Log4J 2.15.0 version) for the Log4Shell vulnerability, but this fix partially addressed the flaw in certain non-default configurations.
An attacker with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup or a Thread Context Map pattern can craft malicious input data using a JNDI Lookup pattern triggering a denial of service (DOS) condition.
The second Log4J CVE has been tracked CVE-2021-45046 and the issues were addressed with the release of the Log4j 2.16.0 version by removing support for message lookup patterns and disabling JNDI functionality by default.
According to the researchers at security firm Praetorian, a third security vulnerability that can be exploited by attackers to exfiltrate sensitive data in certain circumstances were found.
So, the Apache Software Foundation (ASF) was forced to release the third version in a week (version 2.17.0) to fix a ‘High’ severity Denial of Service (DoS) vulnerability in the log4j 2.16 tracked as CVE-2021-45105.
The CVE-2021-45046, initially rated as a low-severity (3.7), has its severity level increased to a Critical-severity (9.0) by the Apache Software Foundation because experts found a new way to bypass the fix second fix released by the Foundation.
This vulnerability is a DoS flaw that impacts log4j 2.16. The experts pointed out that even if JNDI lookups were disabled in version 2.16, self-referential lookups remained a possibility under certain circumstances.