Skip to content

Santhosh Ponnam

Technology Blog

  • Home
  • About
  • Technology
    • Java
    • ORM
  • Privacy Policy
  • Toggle search form
  • Log4J (RCE) Vulnerability Java
  • HikariCP Connection Pooling for Spring Boot for 1.x version Spring Boot
  • Sonar Qube – Code Coverage and Code Quality Tool Installations and Configurations
  • Windows Commands – kill port number Installations and Configurations
  • hashCode and equals methods in java Java
  • Setting Environment Variables in Windows Java
  • HikariCP Configurations – Database Connection Pooling Installations and Configurations
  • Unique Random ‘N’ digit Number generator Java

Another Log4j Bug – DoS

Posted on December 20, 2021December 22, 2021 By Santhosh Ponnam

Denial of Service (DoS) which is another Log4J Bug reported over the last couple of days after the fix for JNDI is provided. Apache Issues Fix and the new Log4j vulnerability is similar to Log4Shell but this DoS flaw has to do with Context Map lookups. Apache released another patch version 2.17.0 to address the Dos Vulnerability.

As explained by Guy Lederfein of the Trend Micro Research Team, “The Apache Log4j API supports variable substitution in the lookups. However, a crafted variable can cause application to crash due to uncontrolled recursive substitutions. An attacker with control over lookup commands (e.g., via the Thread Context Map) can craft a malicious lookup variable, which results in a Denial-of-Service (DoS) attack.”

Just a few days after CVE-2021-45046 was released and fixed, a third zero-day vulnerability was discovered in Apache Log4j, tracked as CVE-2021-45105. The bug was reported on December 15, 2021, and disclosed on December 18, 2021.

This third vulnerability has received a CVSS score of 7.5 out of 10, whereas the first one known as Log4Shell (CVE-2021-44228) received the maximum CVSS score of 10 due to its criticality. The second vulnerability (CVE-2021-45046) had received a CVSS score of 3.7 initially but was later changed to 9.0, as it could also allow Remote Code Execution attacks.

This security issue affects Apache Log4j versions ​​2.0-beta9 to 2.16.0 and could allow attackers with ​​control over the Thread Context Map (MDC) input data to perform a DoS attack. Although this bug lies in the same library, it’s not a variant from Log4Shell, as it can also abuse non-JNDI lookups.

The vulnerability has been tested , confirmed on Log4j versions up to and including 2.16. Apache has listed mitigating factors, but we recommend upgrading to the latest version to ensure that the bug is completely addressed.

Sources: https://logging.apache.org/log4j/2.x/security.html

https://www.zerodayinitiative.com/blog/2021/12/17/cve-2021-45105-denial-of-service-via-uncontrolled-recursion-in-log4j-strsubstitutor

Java Tags:dosflaw, log4j, log4j vulnerability, log4jfix

Post navigation

Previous Post: Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team

Related Posts

  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team Java
  • Fixing Log4j Vulnerability Java
  • Unique Random ‘N’ digit Number generator Java
  • Setting Environment Variables in Windows Java
  • hashCode and equals methods in java Java
  • Log4J (RCE) Vulnerability Java

Recent Posts

  • Another Log4j Bug – DoS
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team
  • Fixing Log4j Vulnerability
  • Log4J (RCE) Vulnerability
  • JPA vs Hibernate – Specification Vs Implementation

Categories

  • Installations and Configurations
  • Java
  • ORM
  • Spring Boot
  • Spring Boot HikariCP Connection Pooling

Archives

  • December 2021
  • August 2021
  • November 2020
  • March 2020
  • August 2018
  • November 2016
  • August 2016

Recent Posts

  • Another Log4j Bug – DoS
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team
  • Fixing Log4j Vulnerability
  • Log4J (RCE) Vulnerability
  • JPA vs Hibernate – Specification Vs Implementation

Categories

  • Installations and Configurations
  • Java
  • ORM
  • Spring Boot
  • Spring Boot HikariCP Connection Pooling

Archives

  • December 2021
  • August 2021
  • November 2020
  • March 2020
  • August 2018
  • November 2016
  • August 2016




Recent Posts

  • Another Log4j Bug – DoS
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team
  • Fixing Log4j Vulnerability
  • Log4J (RCE) Vulnerability
  • JPA vs Hibernate – Specification Vs Implementation

Categories

  • Installations and Configurations
  • Java
  • ORM
  • Spring Boot
  • Spring Boot HikariCP Connection Pooling
  • Log4J (RCE) Vulnerability Java
  • HikariCP Configurations – Database Connection Pooling Installations and Configurations
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team Java
  • Why to have a private constructor? Java
  • Windows Commands – kill port number Installations and Configurations
  • Fixing Log4j Vulnerability Java
  • Unique Random ‘N’ digit Number generator Java
  • JPA vs Hibernate – Specification Vs Implementation ORM

Copyright © 2025 Santhosh Ponnam.

Powered by PressBook News WordPress theme