• Home
  • |
  • Blog
  • |
  • How To Mitigate CVE-2021-45046- A New Log4Shell Vulnerability In Log4j Library
How to Mitigate CVE-2021-45046 Log4Shell Vulnerability

Security researchers disclosed a new vulnerability Log4j library. This vulnerability allows attackers to perform denial of service (DOS) attacks by crafting malicious input data using a JNDI Lookup pattern. Let’s see more details on the vulnerability, including how to mitigate CVE-2021-45046 (New Log4Shell Vulnerability).

What Is JNDI?

In short, Java Naming and Directory Interface is a Java API that allows applications to communicate with other applications such as LDAP, DNS, NIS, NDS, RMI, and CORBA. It runs on top of a Java application to fetch files from a database using naming conventions.

Summary Of CVE-2021-45046- A New Log4Shell Vulnerability:

Apache Software Foundation said, “It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability”.

Associated CVE IDCVE-2021-45046
DescriptionDenial of Service vulnerability in Log4j Logging Library
Associated ZDI IDNA
CVSS Score3.7
Impact ScoreNA
Exploitability ScoreNA
Attack Vector (AV)Network
Attack Complexity (AC)High
Privilege Required (PR)None
User Interaction (UI)None
Confidentiality (C)None
Integrity (I)Low
availability (a)Low

Log4j Versions Vulnerable To The CVE-2021-45046 Log4Shell Vulnerability:

The CVE-2021-45046 Log4Shell Vulnerability affects all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0.

Log4j version 1.x is not affected by the flaw. However, it was affected by a different CVE-2019-1757remote code execution vulnerability.

Who Are Impacted By The CVE-2021-45046 Log4Shell Vulnerability?

When it comes to the victims, This vulnerability is almost as same as the previous CVE-2021-44228 vulnerability. Most likely, all the applications and services are impacted, such as Apple, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon, Tesla, Apache Solr, Apache Druid, Apache Flink, Apache Struts2, flume, Dubbo, IBM Qradar SIEM, PaloAlto Panorama, Redis, logstash, ElasticSearch, kafka, ghidra, ghidra server, Minecraft, PulseSecure, UniFi, VMWare, Blender, Google, Webex, LinkedIn, VMWarevCenter, Speed camera LOL, and more.

How To Mitigate CVE-2021-45046- A New Log4Shell Vulnerability?

Permanent Fix:

This CVE-2021-45046Log4Shell Vulnerability is fixed in Log4j 2.16.0. The newly fixed log4j-core.jar is available for download from Apache Foundation. And, it is also made available on Maven Central.

Mitigation Actions:

In most cases, upgrading to the new version is not a convenient option because of the dependencies hierarchies and complexity of your build. There are a couple of ways to mitigate CVE-2021-45046 (New Log4Shell Vulnerability) which is not fixed in CVE-2021-44228 Log4Shell Vulnerability. 

  1. Remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  2. Disable JNDI
See Also  Early-Stage Indicators of Ryuk and Conti Ransomware Attacks

This is how you need to mitigate CVE-2021-45046 Log4Shell Vulnerability on your affected servers.
We hope this post would help you mitigate CVE-2021-45046 Log4Shell vulnerability- A Critical 0-DAY RCE in Log4j Logging Library. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.