The Apache Software Foundation (ASF) has released a new version of its logging utility, Log4j 2.17.0, designed to remove a high-risk vulnerability that could be exploited by malicious actors to perform a denial-of-service (DoS) attack.
Tracked as CVE-2021-45105, the new bug impacts all versions of the tool from 2.0-beta9 to 2.16.0, which Apache issued earlier this month to address the CVE-2021-44228 remote code execution flaw (Log4Shell) in Log4j and the subsequent CVE-2021-45046 bug, which occurred as a result of an "incomplete" fix for the Log4Shell bug.
“Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack,” Apache explained in a security advisory describing CVE-2021-45105.
Last week, researchers from security firm Blumira disclosed an alternative attack vector in the Log4j vulnerability, which relies on a Javascript WebSocket connection to trigger the RCE on internal and locally exposed unpatched Log4j applications.
"This newly-discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability," Matthew Warner, CTO of Blumira, said. He added that his company has not detected any active exploitation attempts, and the “vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network.”