Third Log4j vulnerability uncovered, Apache releases version 2.17.0
'High severity' bug fixed is an uncontrolled recursion flaw
The Apache Software Foundation (ASF) has rolled out another update - version 2.17.0 - for its Java-based open-source logging library Log4j to address a third security vulnerability discovered in the last ten days.
Tracked as CVE-2021-45105, the new vulnerability is an infinite recursion flaw that affects all versions of the tool from 2.0-alpha1 to 2.16.0.
The Foundation gave the security flaw a CVSS score of 7.5, calling it a 'high' severity vulnerability.
"Apache Log4j versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups," the ASF said in its revised advisory about Log4j vulnerabilities.
"When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack."
The Foundation added the in releases prior to version 2.17.0, the issue can be mitigated by ensuring that in the PatternLayout in the logging configuration, Context Lookups like ${ctx:loginId}or $${ctx:loginId} are replaced with Thread Context Map patterns (%X, %mdc, or %MDC).
Otherwise, in the configuration, references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} should be removed, where they originate from sources external to the application such as HTTP headers or user input.
Akamai Technologies' Hideki Okamoto and an anonymous security researcher have been credited for the discovery of the bug.
Version 2.17.0 is the third new version of Log4j tool in the last ten days.
Earlier this month, the ASF released version 2.15.0 to fix the CVE-2021-44228 (Log4jShell) security bug that researchers described as a highly dangerous, widespread and easy to exploit flaw.
CVE-2021-44228, which could allow attackers to execute malicious code on Java applications, is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j vulnerable component.
Bitdefender said it had observed multiple attempts by attackers to deploy a ransomware payload on vulnerable systems by making use of the Log4Shell bug. Microsoft also confirmed Bitdefender findings, stating that it had observed threat actors attempting to deliver Khonsari ransomware on self-hosted Minecraft server by exploiting Log4Shell.
And as if Log4Shell was not enough, a second vulnerability in the Log4j was uncovered last week, which affected version 2.15.0, the Log4Shell fix.
However, this bug - tracked as CVE-2021-45046 - appeared to be much less serious. Apache described it as being of Moderate severity with a CVSS score of 3.7, as opposed to the 10 out of 10 assigned to Log4jShell.
The ASF released Log4j version 2.16.0 to fix that flaw, saying it completely disables the vulnerable message lookups feature and also disables access to Java Naming and Directory Interface (JNDI) by default.
Admins are now advised to upgrade to 2.17.0 or take the defensive measures described above.