Security News > 2021 > December > Bad things come in threes: Apache reveals another Log4J bug

Bad things come in threes: Apache reveals another Log4J bug
2021-12-19 22:57

The Apache Software Foundation has revealed a third bug in its Log4 Java-based open-source logging library Log4j.

CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0.

The fix is version 2.17.0 of Log4j.

In case you haven't been paying attention, version 2.15.0 was created to fix CVE-2021-44228, the critical-rated and trivial-to-exploit remote code execution flaw present in many versions up to 2.14.0.

Version 2.15.0 didn't address another issue - CVE-2021-45046 - which allowed a remote attacker with control over Thread Context Map to cook up malicious input using a JNDI Lookup pattern.

You know the drill by now: download the latest version 2.17.0 of Log4J, here, and install it everywhere Log4j runs, which of course turns out to be everywhere.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/12/19/log4j_new_flaw_cve_2021_45105/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-12-18 CVE-2021-45105 Uncontrolled Recursion vulnerability in multiple products
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups.
network
high complexity
apache netapp debian sonicwall oracle CWE-674
5.9
2021-12-14 CVE-2021-45046 Expression Language Injection vulnerability in multiple products
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
network
high complexity
apache intel cvat siemens debian sonicwall fedoraproject CWE-917
critical
9.0
2021-12-10 CVE-2021-44228 Deserialization of Untrusted Data vulnerability in multiple products
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
10.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apache 305 58 853 656 313 1880