Skip to content

Santhosh Ponnam

Technology Blog

  • Home
  • About
  • Technology
    • Java
    • ORM
  • Privacy Policy
  • Toggle search form
  • Fixing Log4j Vulnerability Java
  • HikariCP Configurations – Database Connection Pooling Installations and Configurations
  • Sonar Qube – Code Coverage and Code Quality Tool Installations and Configurations
  • HikariCP Connection Pooling for Spring Boot for 1.x version Spring Boot
  • Why to have a private constructor? Java
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team Java
  • JPA vs Hibernate – Specification Vs Implementation ORM
  • Windows Commands – kill port number Installations and Configurations

Another Log4j Bug – DoS

Posted on December 20, 2021December 22, 2021 By Santhosh Ponnam

Denial of Service (DoS) which is another Log4J Bug reported over the last couple of days after the fix for JNDI is provided. Apache Issues Fix and the new Log4j vulnerability is similar to Log4Shell but this DoS flaw has to do with Context Map lookups. Apache released another patch version 2.17.0 to address the Dos Vulnerability.

As explained by Guy Lederfein of the Trend Micro Research Team, “The Apache Log4j API supports variable substitution in the lookups. However, a crafted variable can cause application to crash due to uncontrolled recursive substitutions. An attacker with control over lookup commands (e.g., via the Thread Context Map) can craft a malicious lookup variable, which results in a Denial-of-Service (DoS) attack.”

Just a few days after CVE-2021-45046 was released and fixed, a third zero-day vulnerability was discovered in Apache Log4j, tracked as CVE-2021-45105. The bug was reported on December 15, 2021, and disclosed on December 18, 2021.

This third vulnerability has received a CVSS score of 7.5 out of 10, whereas the first one known as Log4Shell (CVE-2021-44228) received the maximum CVSS score of 10 due to its criticality. The second vulnerability (CVE-2021-45046) had received a CVSS score of 3.7 initially but was later changed to 9.0, as it could also allow Remote Code Execution attacks.

This security issue affects Apache Log4j versions ​​2.0-beta9 to 2.16.0 and could allow attackers with ​​control over the Thread Context Map (MDC) input data to perform a DoS attack. Although this bug lies in the same library, it’s not a variant from Log4Shell, as it can also abuse non-JNDI lookups.

The vulnerability has been tested , confirmed on Log4j versions up to and including 2.16. Apache has listed mitigating factors, but we recommend upgrading to the latest version to ensure that the bug is completely addressed.

Sources: https://logging.apache.org/log4j/2.x/security.html

https://www.zerodayinitiative.com/blog/2021/12/17/cve-2021-45105-denial-of-service-via-uncontrolled-recursion-in-log4j-strsubstitutor

Java Tags:dosflaw, log4j, log4j vulnerability, log4jfix

Post navigation

Previous Post: Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team
Next Post: Consent Management – DPDP

Related Posts

  • Fixing Log4j Vulnerability Java
  • Unique Random ‘N’ digit Number generator Java
  • Why to have a private constructor? Java
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team Java
  • Log4J (RCE) Vulnerability Java
  • Setting Environment Variables in Windows Java

Recent Posts

  • Consent Management – DPDP
  • Another Log4j Bug – DoS
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team
  • Fixing Log4j Vulnerability
  • Log4J (RCE) Vulnerability

Categories

  • Installations and Configurations
  • Java
  • ORM
  • Spring Boot
  • Spring Boot HikariCP Connection Pooling

Archives

  • June 2025
  • December 2021
  • August 2021
  • November 2020
  • March 2020
  • August 2018
  • November 2016
  • August 2016

Recent Posts

  • Consent Management – DPDP
  • Another Log4j Bug – DoS
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team
  • Fixing Log4j Vulnerability
  • Log4J (RCE) Vulnerability

Categories

  • Installations and Configurations
  • Java
  • ORM
  • Spring Boot
  • Spring Boot HikariCP Connection Pooling

Archives

  • June 2025
  • December 2021
  • August 2021
  • November 2020
  • March 2020
  • August 2018
  • November 2016
  • August 2016




Recent Posts

  • Consent Management – DPDP
  • Another Log4j Bug – DoS
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team
  • Fixing Log4j Vulnerability
  • Log4J (RCE) Vulnerability

Categories

  • Installations and Configurations
  • Java
  • ORM
  • Spring Boot
  • Spring Boot HikariCP Connection Pooling
  • Consent Management – DPDP Spring Boot HikariCP Connection Pooling
  • Sonar Qube – Code Coverage and Code Quality Tool Installations and Configurations
  • Fixing Log4j Vulnerability Java
  • JPA vs Hibernate – Specification Vs Implementation ORM
  • Why to have a private constructor? Java
  • Log4J (RCE) Vulnerability Java
  • Setting Environment Variables in Windows Java
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team Java

Copyright © 2025 Santhosh Ponnam.

Powered by PressBook News WordPress theme