Third Log4J Bug Can Trigger DoS; Apache Issues Patch

2021-12-20 16:01

No, you're not seeing triple: On Friday, Apache released yet another patch - version 2.17 - for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug.

The latest bug isn't a variant of the Log4Shell remote-code execution bug that's plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to the potential for denial-of-service in Apache's initial patch.

ContextMapLookup allows applications to store data in the Log4j ThreadContext Map and then retrieve the values in the Log4j configuration: For example, an app would store the current user's login id in the ThreadContext Map with the key "LoginId".

The weakness has to do with improper input validation and uncontrolled recursion that can lead to DoS. As explained by Guy Lederfein of the Trend Micro Research Team, "The Apache Log4j API supports variable substitution in lookups. However, a crafted variable can cause the application to crash due to uncontrolled recursive substitutions. An attacker with control over lookup commands can craft a malicious lookup variable, which results in a Denial-of-Service attack."

On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Log4j vulnerabilities by Thursday, Dec. 23.

Trend Micro's Lederfein noted that the log4j component has had quite a run in the vulnerability spotlight, having received "Quite a bit of attention" since the Log4Shell vulnerability was revealed 10 days ago.

News URL

https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/

#apache #DOS #log4j #patch

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Apache		305	59	855	657	313	1884