Security News > 2021 > December > Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released
The Apache Software Foundation has pushed out a new fix for the Log4j logging utility after the previous patch for the recently disclosed Log4Shell exploit was deemed as "Incomplete in certain non-default configurations."
The second vulnerability - tracked as CVE-2021-45046 - is rated 3.7 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, which the project maintainers shipped last week to address a critical remote code execution vulnerability that could be abused to infiltrate and take over systems.
The incomplete patch for CVE-2021-44228, could be abused to "Craft malicious input data using a JNDI Lookup pattern resulting in a denial-of-service attack," the ASF said in a new advisory.
The latest version of Log4j, 2.16.0, all but removes support for message lookups and disables JNDI by default, the component that's at the heart of the vulnerability.
The U.S. Cybersecurity and Infrastructure Security Agency has also added Log4Shell to its Known Exploited Vulnerabilities Catalog, giving federal agencies a deadline of December 24 to incorporate patches for the vulnerability.
"The most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems. This vulnerability can be everywhere," Gallagher added.
News URL
https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html
Related news
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged (source)
- Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)