Security News > 2021 > December > Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability

Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability
2021-12-19 21:02

The issues with Log4j continued to stack up as the Apache Software Foundation on Friday rolled out yet another patch for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service attack.

Tracked as CVE-2021-45105, the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution, which, in turn, stemmed from an "Incomplete" fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.

Hideki Okamoto of Akamai Technologies and an anonymous vulnerability researcher have been credited with reporting the flaw.

Log4j versions 1.x are not affected by CVE-2021-45105.

It's worth pointing out that the severity score of CVE-2021-45046, originally classified as a DoS bug, has since been revised from 3.7 to 9.0, to acknowledge that an attacker could abuse the vulnerability to craft a specially crafted string that leads to "Information leak and remote code execution in some environments and local code execution in all environments," as reported by researchers at security firm Praetorian.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Apache Log4j vulnerabilities by December 23, 2021, citing the flaw pose an "Unacceptable risk."


News URL

https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-12-18 CVE-2021-45105 Uncontrolled Recursion vulnerability in multiple products
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups.
network
high complexity
apache netapp debian sonicwall oracle CWE-674
5.9
2021-12-14 CVE-2021-45046 Expression Language Injection vulnerability in multiple products
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
network
high complexity
apache intel cvat siemens debian sonicwall fedoraproject CWE-917
critical
9.0
2021-12-10 CVE-2021-44228 Deserialization of Untrusted Data vulnerability in multiple products
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
10.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apache 281 13 544 711 366 1634