<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2659386&amp;fmt=gif">
Talk to an expert
Cysiv Blog

Security Advisory: Apache Log4j2 — Denial of Service Vulnerability

Back to Blog

The Apache Software Foundation, which maintains Log4j, released Log4j version 2.16.0 on 13th Dec, after it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This flaw could allow attackers to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.16.0 fixes the problem by removing support for message lookup patterns and disabling JNDI functionality by default.

Description

The new flaw, tracked as CVE-2021-45046 , abuses the same functions as Log4Shell, otherwise known as CVE-2021-44228. It lets attackers cause a denial of service in Log4j; the same utility being exploited by Log4Shell. That in turn might cause websites using Log4j to malfunction or crash.

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath.

Exploitability:

Severity Exploit Availability Exploited Exploitability Assessment
Moderate Exploit Available Yes Highly Likely

Affected Products

The affected products and versions are as follows:

  • Any Log4J version prior to v2.16.0 is affected, including the v1 branch of Log4J which is considered End Of Life (EOL).

Mitigation

Apache has released an updated version, Log4j 2.16.0. Please note that this version fixes CVE-2021-44228 and CVE-2021-45046 by:

  • Disabling JNDI by default.
  • Requiring the log4j2.enableJndi system property to be set to true to allow JNDI.
  • Completely removing support for Message Lookups.

It is recommended to investigate your internal and third-party usage of Log4j for vulnerable configurations and take remediation actions. If you are uncertain or unable to determine if your implementation is vulnerable, patch aggressively. With so many products affected, it is expected that a whole lot of vendors to be announcing patches very soon if not already.

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f

https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html