Dec 16, 2021 11:10:00

In addition to 'Log4Shell', a new vulnerability 'CVE-2021-45046' was discovered in Java's Log4j library and can be dealt with by updating.

A serious vulnerability, CVE-2021-44228, commonly known as 'Log4Shell', has been discovered in Log4j, a Java log output library, that allows arbitrary code to be executed remotely. The Apache Software Foundation (ASF), which provides Log4j,

has reported that a new vulnerability, CVE-2021-45046, has been discovered and is calling for an update to Log4j to version 2.16.0 or later.

CVE --CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

CVE-2021-45046- Red Hat Customer Portal
https://access.redhat.com/security/cve/cve-2021-45046

Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) | LunaSec
https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/

Protection against CVE-2021-45046, the additional Log4j RCE vulnerability
https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/

The following articles summarize the vulnerabilities in Log4Shell that have been confirmed in Log4j version 2.0 beta 9 to version 2.14.1.

Why does the vulnerability 'Log4Shell (CVE-2021-44228)' found in Java's Log4j library have a major impact on the world? --GIGAZINE

On December 10, 2021, ASF released version 2.15.0 with Log4Shell protection. However, it turns out that Log4Shell's countermeasures are insufficient in certain configurations other than the default. According to Apache, when using a non-default PatternLayout, use a Context Lookup ($ {ctx: loginId}, etc.) or a Thread Context Map (% X,% mdc,% MDC) to control the input data in the Thread Context Map. It was possible that an attacker who could create malicious input data with a JNDI reference pattern could trigger a DoS attack.

So far, as a workaround for the Log4Shell exploit, a method to set 'log4j2.noFormatMsgLookup' to True has been introduced, but CVE-2021-45046 could be able to avoid this invalid setting and attack. understand.

Therefore, ASF released version 2.16.0 (Java 8 or later) on December 14, 2021. Version 2.16.0 addresses the newly discovered vulnerability CVE-2021-45046. In version 2.16.0, the JNDI feature itself is disabled by default and the Message Lookup feature has been removed. ..

Apache Log4j 2.16.0 is now available. Thanks to the Apache Logging Services Project Management Committee (PMC) for working around the clock to get the release out so quickly! Https://t.co/fCVZWwUgN6 #Apache #OpenSource #innovation # community # log4j #security pic.twitter.com/Odhf1xawYl

— Apache --The ASF (@TheASF) December 13, 2021

ASF has also released Log4j version 2.12.2 for the Java 7 runtime environment. Previously, version 2.12.1 was the final version of Log4j for Java 7, but Java 7 runtime environment version 2.12.2 has been released to support Log4Shell and CVE-2021-45046. ASF is calling for updates to Log4j as soon as possible.