Last published on: December 15, 2021

New Log4j Vulnerability – Patch Available

Apache has released a new patch for the Log4j, addressing a new vulnerability discovered, tracked as CVE-2021-45046 (CVSS 3.0 score 3.7), that may allow threat actors to cause Denial-of-Service (DoS) attacks in certain scenarios.

According to Apache, this vulnerability is not patched in Log4j 2.15.0.

The previously presented workaround that included setting the ‘Log4j2.noFormatMsgLookup’ system property to ‘True’ does not mitigate this newly discovered vulnerability

Mitigation

CYREBRO strongly recommends following the Apache mitigation steps:

• Java 8 (or later) users should upgrade to release 2.16.0
• Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
• Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

Vendors Release Security Advisory

Many vendors have begun addressing the Log4Shell vulnerability, including Fortinet, VMWare, Cisco and many more. The list can be found here.

*Please note that this list may change and might not include all vendors

CYREBRO urges reviewing the list of relevant vendors and products and visiting their advisories to apply relevant product mitigations and updates.

References: Apache Advisory | BleepingComputer