Security News > 2021 > December > Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability
The issues with Log4j continued to stack up as the Apache Software Foundation on Friday rolled out yet another patch for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service attack.
Tracked as CVE-2021-45105, the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution, which, in turn, stemmed from an "Incomplete" fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.
Hideki Okamoto of Akamai Technologies and an anonymous vulnerability researcher have been credited with reporting the flaw.
Log4j versions 1.x are not affected by CVE-2021-45105.
It's worth pointing out that the severity score of CVE-2021-45046, originally classified as a DoS bug, has since been revised from 3.7 to 9.0, to acknowledge that an attacker could abuse the vulnerability to craft a specially crafted string that leads to "Information leak and remote code execution in some environments and local code execution in all environments," as reported by researchers at security firm Praetorian.
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Apache Log4j vulnerabilities by December 23, 2021, citing the flaw pose an "Unacceptable risk."
News URL
https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html
Related news
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs and Patch Released (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged (source)
- Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-12-18 | CVE-2021-45105 | Uncontrolled Recursion vulnerability in multiple products Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. | 5.9 |
2021-12-14 | CVE-2021-45046 | It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. | 9.0 |
2021-12-10 | CVE-2021-44228 | Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity apache siemens intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple critical | 10.0 |