How To Fix CVE-2021-45105- A New High Severity Vulnerability In Log4j

On 18th December, a security researcher from Akamai disclosed a new high severity vulnerability (CVE-2021-45105) in Log4j that could lead to Denial of Service attacks. This vulnerability has been added as a third new vulnerability after CVE-2021-44228 and CVE-2021-45046 in Log4j for the past two weeks. Considering the growing development, it is highly recommended to follow up on the threat and take intimidating actions to overcome the threat. Let’s see how to fix CVE-2021-45105- A new high severity vulnerability in Log4j.

Summary Of CVE-2021-45105- A New High Severity Vulnerability:

This high severity vulnerability is due to infinite recursion from self-referential lookups in Thread Context Map (MDC). Apache Foundation said the vulnerability allows attackers to craft malicious input data containing a recursive lookup that leads to StackOverflowError and process termination, which could be a denial of service.

Apache said, “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.”

Log4j Versions Vulnerable To The CVE-2021-45105 Vulnerability:

All the versions starting from 2.0-alpha1 to version 2.16.0 are vulnerable to the CVE-2021-45105 stack overflow vulnerability. 

Log4j version 1.x is not affected by the flaw. However, it was affected by a different CVE-2019-1757remote code execution vulnerability. 

Who Are Impacted By The CVE-2021-45105 Vulnerability?

It impacts almost all the products that use the Log4j logger service. Most likely, it impacts all the applications as like in CVE-2021-44228 and CVE-2021-45046 vulnerabilities such as Apple, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon, Tesla, Apache Solr, Apache Druid, Apache Flink, Apache Struts2, flume, Dubbo, IBM Qradar SIEM, PaloAlto Panorama, Redis, logstash, ElasticSearch, Kafka, ghidra, ghidra server, Minecraft, PulseSecure, UniFi, VMWare, Blender, Google, Webex, LinkedIn, VMWarevCenter, Speed camera LOL, and more. Wait, the list is not reached the end. Please visit the link, which has a comprehensive list of the vulnerable application. Rather than going through the list, it is good to get your application tested with the vendor.

Other Log4j Vulnerabilities In 2021:

How To Fix CVE-2021-45105- A New Vulnerability Log4j?

If you are still running 1.x version, ASF urges you to upgrade it to the latest version. The best permanent fix is to upgrade version 2.17.0 and higher. Ask your developer team to rebuild the project package with the new version of Log4j. If in case you have this vulnerability found on third-party apps, get in their touch and ask to validate and release the permanent fix CVE-2021-45105 vulnerability.

Vendor’s Guidelines to Fix CVE-2021-45105 Vulnerability:

It is not enough to wait until the Vendors release the updates. Organizations should take some precautions to protect their network from CVE-2021-45105 vulnerability.

Those who can’t upgrade the Log4j library can follow these mitigation tips shared by ASF.

Note: United States Cybersecurity and Infrastructure Security Agency (CISA) has also added the Log4j vulnerabilities to the Known Exploited Vulnerabilities Catalog. Note that only the log4j-core JAR file is affected by this vulnerability. Applications using only the log4j-API JAR file without the log4j-core JAR file are not impacted by this vulnerability. And, other projects like Log4net and Log4cxx are not impacted by this.

This is how you need to fix the CVE-2021-45105 Log4j Vulnerability on your affected servers.We hope this post will let you know how to fix CVE-2021-45105- A new high severity vulnerability in Log4j. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.