Security News > 2021 > December > Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS
Suspicion of a DoS bug affecting log4j 2.16.0 arose on Apache's JIRA project about three days ago, shortly after 2.15.0 was found to be vulnerable to a minor DoS vulnerability.
Log4j 2.17.0 out today, fixes DoS. Tracked as CVE-2021-45105, and scored 'High' on the CVSS scale, the DoS flaw exists as log4j 2.16 "Does not always protect from infinite recursion in lookup evaluation."
To fix the vulnerability, log4j version 2.17.0 has been released today and allows only "Lookup strings in configuration" to expand recursively.
According to Google, the vast majority of vulnerable Java packages in Maven Central borrow log4j "Indirectly"-that is log4j is a dependency of a dependency used by the package, a concept also referred to as transitive dependencies.
Looking at the history of publicly disclosed critical vulnerabilities affecting Maven packages, and the fact less than 48% of these packages had a fix for these, Google researchers expect "a long wait, likely years" before log4j flaws are completely eliminated from all Java packages.
Organizations should upgrade to the latest log4j versions and continue to monitor Apache's advisories for updates.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-18 | CVE-2021-45105 | Uncontrolled Recursion vulnerability in multiple products Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. | 5.9 |