Apache reveals another Log4j bug, so patch now

News
By Sead Fadilpašić
published

The third bug in ten days

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Apache can’t seem to catch a break with Java-based logging utility Log4j, as a third major vulnerability has now been discovered.

On Friday, the Apache Software Foundation (ASF) published an announcement explaining that a newly discovered flaw had been fixed. The organization also urged all users to update to the latest version of the logger immediately.

In short, the flaw is an infinite recursion error, resulting in a DoS condition on the affected server. Here’s how the ASF describes the issue:

“Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.”

The newest version of Log4j (2.17.0) can be found at this link, and users are advised to install it wherever they have Log4j running. Those unable to patch up their devices can also deploy one of these temporary workarounds: 

  • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId}or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
  • In the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

Biggest threat in years

The Log4j utility has been at the center of a media storm over the last two weeks, after the discovery of a major flaw that placed millions of endpoints at risk of data theft. 

Last week, Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency (CISA) described it as “one of the most serious” flaws she’s seen in her entire career, “if not the most serious”.

“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” Easterly explained. 

It’s tracked as CVE-2021-44228, and allows malicious actors to run virtually any code. The skills required to take advantage of the flaw are very low, experts have warned, urging everyone to patch Log4j as fast as they can.

The flaw is being compared to the 2017 issue that led to the Equifax hack, which saw the personal data of almost 150 million people exposed.

This original vulnerability was fixed in Log4j version 2.15.

Via The Register

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.