Skip to content

Santhosh Ponnam

Technology Blog

  • Home
  • About
  • Technology
    • Java
    • ORM
  • Privacy Policy
  • Toggle search form
  • HikariCP Configurations – Database Connection Pooling Installations and Configurations
  • HikariCP Connection Pooling for Spring Boot for 1.x version Spring Boot
  • Sonar Qube – Code Coverage and Code Quality Tool Installations and Configurations
  • Why to have a private constructor? Java
  • hashCode and equals methods in java Java
  • Windows Commands – kill port number Installations and Configurations
  • Fixing Log4j Vulnerability Java
  • JPA vs Hibernate – Specification Vs Implementation ORM

Another Log4j Bug – DoS

Posted on December 20, 2021December 22, 2021 By Santhosh Ponnam No Comments on Another Log4j Bug – DoS

Denial of Service (DoS) which is another Log4J Bug reported over the last couple of days after the fix for JNDI is provided. Apache Issues Fix and the new Log4j vulnerability is similar to Log4Shell but this DoS flaw has to do with Context Map lookups. Apache released another patch version 2.17.0 to address the Dos Vulnerability.

As explained by Guy Lederfein of the Trend Micro Research Team, “The Apache Log4j API supports variable substitution in the lookups. However, a crafted variable can cause application to crash due to uncontrolled recursive substitutions. An attacker with control over lookup commands (e.g., via the Thread Context Map) can craft a malicious lookup variable, which results in a Denial-of-Service (DoS) attack.”

Just a few days after CVE-2021-45046 was released and fixed, a third zero-day vulnerability was discovered in Apache Log4j, tracked as CVE-2021-45105. The bug was reported on December 15, 2021, and disclosed on December 18, 2021.

This third vulnerability has received a CVSS score of 7.5 out of 10, whereas the first one known as Log4Shell (CVE-2021-44228) received the maximum CVSS score of 10 due to its criticality. The second vulnerability (CVE-2021-45046) had received a CVSS score of 3.7 initially but was later changed to 9.0, as it could also allow Remote Code Execution attacks.

This security issue affects Apache Log4j versions ​​2.0-beta9 to 2.16.0 and could allow attackers with ​​control over the Thread Context Map (MDC) input data to perform a DoS attack. Although this bug lies in the same library, it’s not a variant from Log4Shell, as it can also abuse non-JNDI lookups.

The vulnerability has been tested , confirmed on Log4j versions up to and including 2.16. Apache has listed mitigating factors, but we recommend upgrading to the latest version to ensure that the bug is completely addressed.

Sources: https://logging.apache.org/log4j/2.x/security.html

https://www.zerodayinitiative.com/blog/2021/12/17/cve-2021-45105-denial-of-service-via-uncontrolled-recursion-in-log4j-strsubstitutor

Java Tags:dosflaw, log4j, log4j vulnerability, log4jfix

Post navigation

Previous Post: Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team

Related Posts

  • Fixing Log4j Vulnerability Java
  • hashCode and equals methods in java Java
  • Log4J (RCE) Vulnerability Java
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team Java
  • Why to have a private constructor? Java
  • Setting Environment Variables in Windows Java

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Another Log4j Bug – DoS
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team
  • Fixing Log4j Vulnerability
  • Log4J (RCE) Vulnerability
  • JPA vs Hibernate – Specification Vs Implementation

Categories

  • Installations and Configurations
  • Java
  • ORM
  • Spring Boot
  • Spring Boot HikariCP Connection Pooling

Archives

  • December 2021
  • August 2021
  • November 2020
  • March 2020
  • August 2018
  • November 2016
  • August 2016

Recent Posts

  • Another Log4j Bug – DoS
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team
  • Fixing Log4j Vulnerability
  • Log4J (RCE) Vulnerability
  • JPA vs Hibernate – Specification Vs Implementation

Categories

  • Installations and Configurations
  • Java
  • ORM
  • Spring Boot
  • Spring Boot HikariCP Connection Pooling

Archives

  • December 2021
  • August 2021
  • November 2020
  • March 2020
  • August 2018
  • November 2016
  • August 2016




Recent Posts

  • Another Log4j Bug – DoS
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team
  • Fixing Log4j Vulnerability
  • Log4J (RCE) Vulnerability
  • JPA vs Hibernate – Specification Vs Implementation

Categories

  • Installations and Configurations
  • Java
  • ORM
  • Spring Boot
  • Spring Boot HikariCP Connection Pooling
  • JPA vs Hibernate – Specification Vs Implementation ORM
  • Setting Environment Variables in Windows Java
  • HikariCP Configurations – Database Connection Pooling Installations and Configurations
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team Java
  • Why to have a private constructor? Java
  • Sonar Qube – Code Coverage and Code Quality Tool Installations and Configurations
  • Fixing Log4j Vulnerability Java
  • hashCode and equals methods in java Java

Copyright © 2023 Santhosh Ponnam.

Powered by PressBook News WordPress theme