Sunday, November 17, 2024

In addition to “Log4Shell” in the Java Log4j library, a new vulnerability “CVE-2021-45046” was discovered and can be fixed by updating –GIGAZINE

Date:



A critical vulnerability, CVE-2021-44228, commonly known as “Log4Shell”, has been discovered in Log4j, a Java log output library, which allows arbitrary code to be executed remotely. Apache Software Foundation (ASF), which provides Log4j, has a new vulnerability.CVE – 2021‑45046An update from Log4j to version 2.16.0 or later has been discovered and requested.

CVE – CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

CVE-2021-45046: Red Hat Customer Portal
https://access.redhat.com/security/cve/cve-2021-45046

Log4Shell Update: Second log4j vulnerability released (CVE-2021-44228 + CVE-2021-45046) | LunaSec
https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/

Protection against CVE-2021-45046, the additional vulnerability Log4j RCE
https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/

The following articles summarize the vulnerabilities in Log4Shell that have been confirmed in Log4j version 2.0 beta 9 to version 2.14.1.

Why does the “Log4Shell (CVE-2021-44228)” vulnerability found in the Java Log4j library have a major impact on the world? – GIGAZINE


On December 10, 2021, ASF released version 2.15.0 with Log4Shell protection. However, it turns out that the Log4Shell countermeasures are insufficient in certain configurations other than the default. According to Apache, when using a non-default PatternLayout, use Context Lookup ($ {ctx: loginId}, etc.) or Thread Context Map (% X,% mdc,% MDC) to handle the input data of the thread context. An attacker who can create bad input data with a JNDI reference pattern andDOS attackThere was a possibility that it could cause.

So far, as a workaround for the Log4Shell exploit, a method has been introduced to set “log4j2.noFormatMsgLookup” to True, but CVE-2021-45046 could avoid this invalid configuration and attack.


Therefore, ASF released version 2.16.0 (Java 8 or later) on December 14, 2021. Version 2.16.0 addresses the newly discovered vulnerability CVE-2021-45046. In version 2.16.0, the JNDI function itself is disabled by default and the message search function has been removed …


ASF has also released Log4j version 2.12.2 for the Java 7 runtime. Previously, version 2.12.1 was the final version of Log4j for Java 7, but version 2.12.2 of the Java 7 runtime was released to support Log4Shell and CVE-2021-45046. ASF requests Log4j updates as soon as possible.

Copy the title and URL of this article.

Ebenezer Robbins
Ebenezer Robbins
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.

Share post:

Popular

More like this
Related

Practice Acrylic Nail Techniques Without Needing a Fake Hand

When you're starting your journey with acrylic nails, practice...

Inside the World of Common Snapping Turtles: Behavior and Habitat

The common snapping turtle (Chelydra serpentina) is one of...

How to Use Video Marketing to Promote B2C Products?

Video marketing has emerged as a powerful tool for...

Adapting to Change: The Future for Leopard Tortoise Environments

Leopard tortoises, known for their striking spotted shells and...