Security News > 2021 > December > Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability

The issues with Log4j continued to stack up as the Apache Software Foundation on Friday rolled out yet another patch for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service attack.

Tracked as CVE-2021-45105, the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution, which, in turn, stemmed from an "Incomplete" fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.

Hideki Okamoto of Akamai Technologies and an anonymous vulnerability researcher have been credited with reporting the flaw.

Log4j versions 1.x are not affected by CVE-2021-45105.

It's worth pointing out that the severity score of CVE-2021-45046, originally classified as a DoS bug, has since been revised from 3.7 to 9.0, to acknowledge that an attacker could abuse the vulnerability to craft a specially crafted string that leads to "Information leak and remote code execution in some environments and local code execution in all environments," as reported by researchers at security firm Praetorian.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Apache Log4j vulnerabilities by December 23, 2021, citing the flaw pose an "Unacceptable risk."

News URL

https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html