A critical vulnerability, CVE-2021-44228, commonly known as “Log4Shell”, has been discovered in Log4j, a Java log output library, which allows arbitrary code to be executed remotely. Apache Software Foundation (ASF), which provides Log4j, has a new vulnerability.CVE – 2021‑45046An update from Log4j to version 2.16.0 or later has been discovered and requested.
CVE – CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
CVE-2021-45046: Red Hat Customer Portal
https://access.redhat.com/security/cve/cve-2021-45046
Log4Shell Update: Second log4j vulnerability released (CVE-2021-44228 + CVE-2021-45046) | LunaSec
https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/
Protection against CVE-2021-45046, the additional vulnerability Log4j RCE
https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/
The following articles summarize the vulnerabilities in Log4Shell that have been confirmed in Log4j version 2.0 beta 9 to version 2.14.1.
On December 10, 2021, ASF released version 2.15.0 with Log4Shell protection. However, it turns out that the Log4Shell countermeasures are insufficient in certain configurations other than the default. According to Apache, when using a non-default PatternLayout, use Context Lookup ($ {ctx: loginId}, etc.) or Thread Context Map (% X,% mdc,% MDC) to handle the input data of the thread context. An attacker who can create bad input data with a JNDI reference pattern andDOS attackThere was a possibility that it could cause.
So far, as a workaround for the Log4Shell exploit, a method has been introduced to set “log4j2.noFormatMsgLookup” to True, but CVE-2021-45046 could avoid this invalid configuration and attack.
Therefore, ASF released version 2.16.0 (Java 8 or later) on December 14, 2021. Version 2.16.0 addresses the newly discovered vulnerability CVE-2021-45046. In version 2.16.0, the JNDI function itself is disabled by default and the message search function has been removed …
ASF has also released Log4j version 2.12.2 for the Java 7 runtime. Previously, version 2.12.1 was the final version of Log4j for Java 7, but version 2.12.2 of the Java 7 runtime was released to support Log4Shell and CVE-2021-45046. ASF requests Log4j updates as soon as possible.
Copy the title and URL of this article.