The original vulnerability identified in Log4j (CVE-2021-44228) that shocked the world because of its seriousness, simplicity of exploitation, and the magnitude to which it affects software and cloud solutions, isn’t just the vulnerability existing in the Java-based logging utility.
Following the release of version 2.15.0 to correct the vulnerability, it was confirmed that version 2.15.0 continued to be vulnerable in particular non-default configurations because of an unfinished patch. The latest vulnerability is monitored as CVE-2021-45046 and was resolved in version 2.16.0 of Log4j. At first, the low severity vulnerability was given a CVSS score of 3.7; but, the severity score has gone up to critical (CVSS 9.0), considering that while this vulnerability was documented as a denial-of-service bug at first, it was eventually established that it can be taken advantage of to permit data exfiltration as well as remote code execution.
As per Apache, “If the logging configuration utilizes a non-default Pattern Layout having a Context Lookup (for instance, $${ctx:loginId}), attackers that can control the Thread Context Map (MDC) input information could create malicious input data that consists of a recursive lookup, leading to a StackOverflowError that may shut down the process.
Apache highly recommended that companies need to upgrade once more to version 2.16.0 to avoid the exploitation of the latest vulnerability; nevertheless, another vulnerability has already been discovered, which is monitored as CVE-2021-45105. The new vulnerability is a DoS bug with a CVSS score of 7.5 (high severity) and impacts all versions of Log4j including 2.0-beta9 up to 2.16.0.
Based on the Apache Software Foundation (ASF), Apache Log4j2 from versions 2.0-alpha1 up to 2.16.0 failed to secure uncontrolled recursion from self-referential queries. If the logging settings utilize a non-default Pattern Layout having a Context Lookup (for instance, $${ctx:loginId}), attackers that can control the Thread Context Map input information could create malicious input information that includes a recursive query, causing a StackOverflowError that is going to shut down the process.
CVE-2021-45105 is already resolved in version 2.17.0, which is the 3rd version of Log4j that will be available in 10 days. More details on the Log4j vulnerabilities along with the most recent updates are available on this page.