In addition to 'Log4Shell', a new vulnerability 'CVE-2021-45046' was discovered in Java's Log4j library and can be dealt with by updating.

A serious vulnerability, CVE-2021-44228, commonly known as 'Log4Shell', has been discovered in Log4j, a Java log output library, that allows arbitrary code to be executed remotely. The Apache Software Foundation (ASF), which provides Log4j,

has reported that a new vulnerability, CVE-2021-45046, has been discovered and is calling for an update to Log4j to version 2.16.0 or later.

CVE --CVE-2021-45046

CVE-2021-45046- Red Hat Customer Portal

Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) | LunaSec

Protection against CVE-2021-45046, the additional Log4j RCE vulnerability

The following articles summarize the vulnerabilities in Log4Shell that have been confirmed in Log4j version 2.0 beta 9 to version 2.14.1.

Why does the vulnerability 'Log4Shell (CVE-2021-44228)' found in Java's Log4j library have a major impact on the world? --GIGAZINE

On December 10, 2021, ASF released version 2.15.0 with Log4Shell protection. However, it turns out that Log4Shell's countermeasures are insufficient in certain configurations other than the default. According to Apache, when using a non-default PatternLayout, use a Context Lookup ($ {ctx: loginId}, etc.) or a Thread Context Map (% X,% mdc,% MDC) to control the input data in the Thread Context Map. It was possible that an attacker who could create malicious input data with a JNDI reference pattern could trigger a DoS attack.

So far, as a workaround for the Log4Shell exploit, a method to set 'log4j2.noFormatMsgLookup' to True has been introduced, but CVE-2021-45046 could be able to avoid this invalid setting and attack. understand.

Therefore, ASF released version 2.16.0 (Java 8 or later) on December 14, 2021. Version 2.16.0 addresses the newly discovered vulnerability CVE-2021-45046. In version 2.16.0, the JNDI feature itself is disabled by default and the Message Lookup feature has been removed. ..

ASF has also released Log4j version 2.12.2 for the Java 7 runtime environment. Previously, version 2.12.1 was the final version of Log4j for Java 7, but Java 7 runtime environment version 2.12.2 has been released to support Log4Shell and CVE-2021-45046. ASF is calling for updates to Log4j as soon as possible.

in Software,   Web Service,   Security, Posted by log1i_yk