Security News > 2021 > December > Bad things come in threes: Apache reveals another Log4J bug

The Apache Software Foundation has revealed a third bug in its Log4 Java-based open-source logging library Log4j.

CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0.

The fix is version 2.17.0 of Log4j.

In case you haven't been paying attention, version 2.15.0 was created to fix CVE-2021-44228, the critical-rated and trivial-to-exploit remote code execution flaw present in many versions up to 2.14.0.

Version 2.15.0 didn't address another issue - CVE-2021-45046 - which allowed a remote attacker with control over Thread Context Map to cook up malicious input using a JNDI Lookup pattern.

You know the drill by now: download the latest version 2.17.0 of Log4J, here, and install it everywhere Log4j runs, which of course turns out to be everywhere.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/12/19/log4j_new_flaw_cve_2021_45105/