• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2021-45105- A New High Severity Vulnerability In Log4j
How to Fix CVE-2021-45105- A New High Severity Vulnerability in Log4j

On 18th December, a security researcher from Akamai disclosed a new high severity vulnerability (CVE-2021-45105) in Log4j that could lead to Denial of Service attacks. This vulnerability has been added as a third new vulnerability after CVE-2021-44228 and CVE-2021-45046 in Log4j for the past two weeks. Considering the growing development, it is highly recommended to follow up on the threat and take intimidating actions to overcome the threat. Let’s see how to fix CVE-2021-45105- A new high severity vulnerability in Log4j.

Summary Of CVE-2021-45105- A New High Severity Vulnerability:

This high severity vulnerability is due to infinite recursion from self-referential lookups in Thread Context Map (MDC). Apache Foundation said the vulnerability allows attackers to craft malicious input data containing a recursive lookup that leads to StackOverflowError and process termination, which could be a denial of service.

Apache said, “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.”

Associated CVE IDCVE-2021-45105
DescriptionDenial of Service vulnerability in Log4j Logging Library due to infinite recursion in lookup evaluation
SeverityHigh
Associated ZDI IDZDI-21-1541
CVSS Score7.5
VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Impact ScoreNA
Exploitability ScoreNA
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)None
Integrity (I)None
Availability (a)High

Log4j Versions Vulnerable To The CVE-2021-45105 Vulnerability:

All the versions starting from 2.0-alpha1 to version 2.16.0 are vulnerable to the CVE-2021-45105 stack overflow vulnerability. 

Log4j version 1.x is not affected by the flaw. However, it was affected by a different CVE-2019-1757remote code execution vulnerability. 

Who Are Impacted By The CVE-2021-45105 Vulnerability?

It impacts almost all the products that use the Log4j logger service. Most likely, it impacts all the applications as like in CVE-2021-44228 and CVE-2021-45046 vulnerabilities such as Apple, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon, Tesla, Apache Solr, Apache Druid, Apache Flink, Apache Struts2, flume, Dubbo, IBM Qradar SIEM, PaloAlto Panorama, Redis, logstash, ElasticSearch, Kafka, ghidra, ghidra server, Minecraft, PulseSecure, UniFi, VMWare, Blender, Google, Webex, LinkedIn, VMWarevCenter, Speed camera LOL, and more. Wait, the list is not reached the end. Please visit the link, which has a comprehensive list of the vulnerable application
Rather than going through the list, it is good to get your application tested with the vendor.

Other Log4j Vulnerabilities In 2021:

  1. A Critical 0-day Unauthenticated Remote Code Execution vulnerability in Log4j Logging Library (CVE-2021-44228) allows attackers to carry out unauthenticated, remote code execution attacks.
  2. A new vulnerability (CVE-2021-45046) Log4j library allows attackers to perform denial of service (DOS) attacks by crafting malicious input data using a JNDI Lookup pattern.

How To Fix CVE-2021-45105- A New Vulnerability Log4j?

If you are still running 1.x version, ASF urges you to upgrade it to the latest version. The best permanent fix is to upgrade version 2.17.0 and higher. Ask your developer team to rebuild the project package with the new version of Log4j. If in case you have this vulnerability found on third-party apps, get in their touch and ask to validate and release the permanent fix CVE-2021-45105 vulnerability.

Vendor’s Guidelines to Fix CVE-2021-45105 Vulnerability:

It is not enough to wait until the Vendors release the updates. Organizations should take some precautions to protect their network from CVE-2021-45105 vulnerability.

  1. Block the Log4Shell IOCs on your firewalls, Proxies, EndPoints, and any security monitoring solutions and keep track of them if any connection is established/observed with them in the Infrastructure.
  2. Isolate the suspected system from the network and keep monitoring the activities.
  3. Configure your Vulnerability scan tools like NexPose, Nessus, or QualysGuard and run automated Vulnerability scans.
  4. Disable JNDI on all the servers running Log4j. If unable to disable Log4j, then block all the JNDI requests to untrusted servers.
  5. Please watch the Apache Log4j Security Vulnerabilities webpage page for new updates on the Log4Shell vulnerabilities and try implementing them.

Those who can’t upgrade the Log4j library can follow these mitigation tips shared by ASF.

  • Replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) in PatternLayout in the logging configuration,
  • Otherwise, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} in the configuration where they originate from sources external to the application such as HTTP headers or user input.

Note: United States Cybersecurity and Infrastructure Security Agency (CISA) has also added the Log4j vulnerabilities to the Known Exploited Vulnerabilities Catalog. Note that only the log4j-core JAR file is affected by this vulnerability. Applications using only the log4j-API JAR file without the log4j-core JAR file are not impacted by this vulnerability. And, other projects like Log4net and Log4cxx are not impacted by this.

This is how you need to fix the CVE-2021-45105 Log4j Vulnerability on your affected servers.
We hope this post will let you know how to fix CVE-2021-45105- A new high severity vulnerability in Log4j. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn
Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.