New Log4j Patch, Vendors Release Security Advisories
Last published on: December 15, 2021
New Log4j Vulnerability – Patch Available
Apache has released a new patch for the Log4j, addressing a new vulnerability discovered, tracked as CVE-2021-45046 (CVSS 3.0 score 3.7), that may allow threat actors to cause Denial-of-Service (DoS) attacks in certain scenarios.
According to Apache, this vulnerability is not patched in Log4j 2.15.0.
The previously presented workaround that included setting the ‘Log4j2.noFormatMsgLookup’ system property to ‘True’ does not mitigate this newly discovered vulnerability
CYREBRO strongly recommends following the Apache mitigation steps:
- Java 8 (or later) users should upgrade to release 2.16.0
- Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
- Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Vendors Release Security Advisory
Many vendors have begun addressing the Log4Shell vulnerability, including Fortinet, VMWare, Cisco and many more. The list can be found here.
*Please note that this list may change and might not include all vendors
CYREBRO urges reviewing the list of relevant vendors and products and visiting their advisories to apply relevant product mitigations and updates.
References: Apache Advisory | BleepingComputer