Security researchers disclosed a new vulnerability Log4j library. This vulnerability allows attackers to perform denial of service (DOS) attacks by crafting malicious input data using a JNDI Lookup pattern. Let’s see more details on the vulnerability, including how to mitigate CVE-2021-45046 (New Log4Shell Vulnerability).
What Is JNDI?
In short, Java Naming and Directory Interface is a Java API that allows applications to communicate with other applications such as LDAP, DNS, NIS, NDS, RMI, and CORBA. It runs on top of a Java application to fetch files from a database using naming conventions.
Summary Of CVE-2021-45046- A New Log4Shell Vulnerability:
Apache Software Foundation said, “It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability”.
| Associated CVE ID | CVE-2021-45046 |
| Description | Denial of Service vulnerability in Log4j Logging Library |
| Associated ZDI ID | NA |
| CVSS Score | 3.7 |
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
| Impact Score | NA |
| Exploitability Score | NA |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | High |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | None |
| Integrity (I) | Low |
| availability (a) | Low |
Log4j Versions Vulnerable To The CVE-2021-45046 Log4Shell Vulnerability:
The CVE-2021-45046 Log4Shell Vulnerability affects all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0.
Log4j version 1.x is not affected by the flaw. However, it was affected by a different CVE-2019-1757remote code execution vulnerability.
Who Are Impacted By The CVE-2021-45046 Log4Shell Vulnerability?
When it comes to the victims, This vulnerability is almost as same as the previous CVE-2021-44228 vulnerability. Most likely, all the applications and services are impacted, such as Apple, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon, Tesla, Apache Solr, Apache Druid, Apache Flink, Apache Struts2, flume, Dubbo, IBM Qradar SIEM, PaloAlto Panorama, Redis, logstash, ElasticSearch, kafka, ghidra, ghidra server, Minecraft, PulseSecure, UniFi, VMWare, Blender, Google, Webex, LinkedIn, VMWarevCenter, Speed camera LOL, and more.
How To Mitigate CVE-2021-45046- A New Log4Shell Vulnerability?
Permanent Fix:
This CVE-2021-45046Log4Shell Vulnerability is fixed in Log4j 2.16.0. The newly fixed log4j-core.jar is available for download from Apache Foundation. And, it is also made available on Maven Central.
Mitigation Actions:
In most cases, upgrading to the new version is not a convenient option because of the dependencies hierarchies and complexity of your build. There are a couple of ways to mitigate CVE-2021-45046 (New Log4Shell Vulnerability) which is not fixed in CVE-2021-44228 Log4Shell Vulnerability.
- Remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- Disable JNDI
This is how you need to mitigate CVE-2021-45046 Log4Shell Vulnerability on your affected servers.
We hope this post would help you mitigate CVE-2021-45046 Log4Shell vulnerability- A Critical 0-DAY RCE in Log4j Logging Library. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
