Security News > 2021 > December > Apache’s Fix for Log4Shell Can Lead to DoS Attacks
Last Thursday security researchers began warning that a vulnerability tracked as CVE-2021-44228 in Apache Log4j was under active attack and had the potential, according to many reports, to break the internet.
To its credit, Apache hastily released a patch to fix Log4Shell with Log4j version 2.15.0 last Friday.
Now researchers have found that this fix "Is incomplete in certain non-default configurations" and paves the way for denial of service attacks in certain scenarios, according to a security advisory by Apache.org.
One security professional noted that it may have been Apache's haste to release a patch for Log4Shell after the initial panic over its discovery may have inadvertently caused the latest CVE. "Often rushing patches to fix vulnerabilities means that the fix may not be complete, as the case is here," observed John Bambenek, principal threat hunter at Netenrich, in an email to Threatpost on Tuesday.
There already is some confusion about how many vulnerabilities currently exist that are related to Log4Shell and how they all correlate to one another, adding to the avalanche of information being published about the bug, researchers from RiskBased Security wrote in a blog post published Tuesday.
One thing that's certain about the mounting drama surrounding Log4Shell is that, because the attack surface for the vulnerability is so vast, there is great potential for extensive and further exploitation, according to RiskBased Security.
News URL
https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-12-10 | CVE-2021-44228 | Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity apache siemens intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple CWE-502 critical | 10.0 |