After detecting flaws with their previous release, which was issued on Tuesday, Apache has introduced version 2.17.0 of the Log4j patch. According to Apache, version 2.16 does not always defend against unbounded recursion in lookup evaluation and is vulnerable to CVE-2021-45105, a denial of service flaw.
The severity was described as “high,” with a CVSS score of 7.5. Apache went on to say that Hideki Okamoto of Akamai Technologies and an unknown vulnerability researcher uncovered the latest flaw.
Applying the 2.17.0 patch and replacing Context Lookups like $ctx:loginId or $$ctx:loginId in PatternLayout in the logging settings with Thread Context Map patterns (percent X, percent mdc, or percent MDC) are two mitigations. Apache also recommended deleting references to Context Lookups in the configuration, such as $ctx:loginId or $$ctx:loginId, if they come from external sources like HTTP headers or user input. They pointed out that CVE-2021-45105 only affects the Log4j-core JAR file.
Security experts began tweeting about potential issues with 2.16.0 on Friday, with some suspecting a denial of service vulnerability. The topic of Log4j has dominated the discourse this week. CISA issued additional recommendations requiring civilian government agencies in the United States to implement fixes before Christmas. At the same time, major IT firms like IBM, Cisco, and VMware rushed to fix Log4j flaws in their products.
Blumira, a security firm, claims to have discovered a new Log4j attack vector that may be exploited through a listening server on a workstation or local network, perhaps putting an end to the idea that the issue was restricted to exposed susceptible servers. Other cybersecurity organizations have discovered that large ransomware gangs like Conti are looking into exploiting the flaw.
In a security report released on Friday, James Wetter and Nicky Ringland of Google’s Open Source Insights Team discovered that 35,863 of the accessible Java components from Maven Central rely on the problematic Log4j code.
Nearly 5,000 artifacts have been fixed thus far, with over 30,000 more to go. However, because of how deeply Log4j is ingrained in some companies, the two agree that addressing the problem would be challenging. After reviewing all publicly publicized critical warnings impacting Maven packages, the two concluded that fewer than half (48 percent) of the artifacts affected by a vulnerability had been repaired, implying that the Log4j issue might take years to resolve.