Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Mitigate CVE-2021-45046- A New Log4Shell Vulnerability In Log4j Library
December 15, 2021
|
3m

How To Mitigate CVE-2021-45046- A New Log4Shell Vulnerability In Log4j Library


How To Mitigate Cve 2021 45046 Log4shell Vulnerability

Security researchers disclosed a new vulnerability Log4j library. This vulnerability allows attackers to perform denial of service (DOS) attacks by crafting malicious input data using a JNDI Lookup pattern. Let’s see more details on the vulnerability, including how to mitigate CVE-2021-45046 (New Log4Shell Vulnerability).

What Is JNDI?

In short, Java Naming and Directory Interface is a Java API that allows applications to communicate with other applications such as LDAP, DNS, NIS, NDS, RMI, and CORBA. It runs on top of a Java application to fetch files from a database using naming conventions.

Summary Of CVE-2021-45046- A New Log4Shell Vulnerability:

Apache Software Foundation said, “It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability”.

Associated CVE IDCVE-2021-45046
DescriptionDenial of Service vulnerability in Log4j Logging Library
Associated ZDI IDNA
CVSS Score3.7
VectorCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Impact ScoreNA
Exploitability ScoreNA
Attack Vector (AV)Network
Attack Complexity (AC)High
Privilege Required (PR)None
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)None
Integrity (I)Low
availability (a)Low

Log4j Versions Vulnerable To The CVE-2021-45046 Log4Shell Vulnerability:

The CVE-2021-45046 Log4Shell Vulnerability affects all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0.

Log4j version 1.x is not affected by the flaw. However, it was affected by a different CVE-2019-1757remote code execution vulnerability.

Who Are Impacted By The CVE-2021-45046 Log4Shell Vulnerability?

When it comes to the victims, This vulnerability is almost as same as the previous CVE-2021-44228 vulnerability. Most likely, all the applications and services are impacted, such as Apple, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon, Tesla, Apache Solr, Apache Druid, Apache Flink, Apache Struts2, flume, Dubbo, IBM Qradar SIEM, PaloAlto Panorama, Redis, logstash, ElasticSearch, kafka, ghidra, ghidra server, Minecraft, PulseSecure, UniFi, VMWare, Blender, Google, Webex, LinkedIn, VMWarevCenter, Speed camera LOL, and more.

How To Mitigate CVE-2021-45046- A New Log4Shell Vulnerability?

Permanent Fix:

This CVE-2021-45046Log4Shell Vulnerability is fixed in Log4j 2.16.0. The newly fixed log4j-core.jar is available for download from Apache Foundation. And, it is also made available on Maven Central.

Mitigation Actions:

In most cases, upgrading to the new version is not a convenient option because of the dependencies hierarchies and complexity of your build. There are a couple of ways to mitigate CVE-2021-45046 (New Log4Shell Vulnerability) which is not fixed in CVE-2021-44228 Log4Shell Vulnerability

  1. Remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

  2. Disable JNDI

This is how you need to mitigate CVE-2021-45046 Log4Shell Vulnerability on your affected servers.We hope this post would help you mitigate CVE-2021-45046 Log4Shell vulnerability- A Critical 0-DAY RCE in Log4j Logging Library. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe