Security News > 2021 > December > New Apache Log4j Update Released to Patch Newly Discovered Vulnerability
The Apache Software Foundation on Tuesday rolled out fresh patches to contain an arbitrary code execution flaw in Log4j that could be abused by threat actors to run malicious code on affected systems, making it the fifth security shortcoming to be discovered in the tool in the span of a month.
While Log4j versions 1.x are not affected, users are recommended to upgrade to Log4j 2.3.2, 2.12.4, or 2.17.1.
With the latest fix, the project maintainers have addressed a total of four issues in Log4j since the Log4Shell flaw came to light earlier this month, not to mention a fifth vulnerability affecting versions Log4j 1.2 that will not be fixed -.
CVE-2021-44228 - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1.
CVE-2021-45046 - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2.
CVE-2021-45105 - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0.
News URL
https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html
Related news
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs and Patch Released (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged (source)
- Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-18 | CVE-2021-45105 | Uncontrolled Recursion vulnerability in multiple products Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. | 5.9 |
| 2021-12-14 | CVE-2021-45046 | It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. | 9.0 |
| 2021-12-10 | CVE-2021-44228 | Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity apache siemens intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple critical | 10.0 |