The Apache Software Foundation (ASF) revealed the third error in Log4j, its Java-based Log4 open source logging library.
CVE-2021-45105 is an infinite recursion error of 7.5/10 level, which exists in Log4j2 version 2.0-alpha1 to 2.16.0. The fix is version 2.17.0 of Log4j.
This is the third new version of the tool in the past ten days.
If you didn’t pay attention, version 2.15.0 was created to fix CVE-2021-44228, There are serious and easy-to-exploit remote code execution vulnerabilities in many versions up to 2.14.0.
But the 2.15.0 version did not solve another problem- CVE-2021-45046 -This allows remote attackers who control Thread Context Mapping (MDC) to use the JNDI lookup mode to make malicious input. The result may be remote code execution, but fortunately not in all environments.
Version 2.16.0 fixes this problem.
But it did not fix CVE-2021-45105, ASF describe as follows:
The zero-day program of the vendor-agnostic vulnerability bounty program has described the vulnerabilities as follows.
what to do?
You now know the exercise: download the latest version 2.17.0 of Log4J, here, And install it wherever Log4j runs, of course the result is everywhere (including in some hard-to-find places).
ASF also outlines the following mitigation measures:
- In the PatternLayout in the log configuration, replace Context Lookups with
${ctx:loginId}or $${ctx:loginId}Use thread context mapping mode(%X, %mdc, or %MDC). - Otherwise, in the configuration, delete the reference to the context lookup, such as
${ctx:loginId}or$${ctx:loginId}They originate from sources external to the application, such as HTTP headers or user input.
After completion, pray that ASF will find all the defects that need to be fixed immediately, so that we can no longer worry about this software during Christmas. ®
