Apache has released Log4j 2.17.0 (Java 8), addressing a newly disclosed denial-of-service vulnerability.

The vulnerability (CVE-2021-45104, CVSS 3.1: 7.5) is of high severity and allows attackers to cause infinite recursion in Log4j’s lookup evaluation, which in turn crashes the vulnerable application.

Affected Versions

All Log4j versions from 2.0-beta9 to 2.16.0 are affected.

Log4j 1.x is not impacted by this vulnerability, but is impacted by the “Log4Shell” vulnerability and has reached End-of-Life support.

Mitigation

CYREBRO urges all clients to follow Apache mitigation steps:

• Java 8 (or later) users should upgrade to release 2.17.0.

Workaround

Alternatively, the vulnerability can be mitigated in configuration:

• In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
• Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

Source: Apache Advisory