Denial of Service (DoS) which is another Log4J Bug reported over the last couple of days after the fix for JNDI is provided. Apache Issues Fix and the new Log4j vulnerability is similar to Log4Shell but this DoS flaw has to do with Context Map lookups. Apache released another patch version 2.17.0 to address the Dos Vulnerability.
As explained by Guy Lederfein of the Trend Micro Research Team, “The Apache Log4j API supports variable substitution in the lookups. However, a crafted variable can cause application to crash due to uncontrolled recursive substitutions. An attacker with control over lookup commands (e.g., via the Thread Context Map) can craft a malicious lookup variable, which results in a Denial-of-Service (DoS) attack.”
Just a few days after CVE-2021-45046 was released and fixed, a third zero-day vulnerability was discovered in Apache Log4j, tracked as CVE-2021-45105. The bug was reported on December 15, 2021, and disclosed on December 18, 2021.
This third vulnerability has received a CVSS score of 7.5 out of 10, whereas the first one known as Log4Shell (CVE-2021-44228) received the maximum CVSS score of 10 due to its criticality. The second vulnerability (CVE-2021-45046) had received a CVSS score of 3.7 initially but was later changed to 9.0, as it could also allow Remote Code Execution attacks.
This security issue affects Apache Log4j versions 2.0-beta9 to 2.16.0 and could allow attackers with control over the Thread Context Map (MDC) input data to perform a DoS attack. Although this bug lies in the same library, it’s not a variant from Log4Shell, as it can also abuse non-JNDI lookups.
The vulnerability has been tested , confirmed on Log4j versions up to and including 2.16. Apache has listed mitigating factors, but we recommend upgrading to the latest version to ensure that the bug is completely addressed.