DEV Community

nabbisen
nabbisen

Posted on β€’ Edited on β€’ Originally published at scqr.net

4 3

Log4j 2: New vulnerability on DoS in 2.16.0 and below

Log4j 2.17.0 was released due to security reason. It fixes DoS vulnerability in 2.16.0 and below on v2.

As to the new vulnerability on DoS (denial-of-service), it's safe with a default Pattern Layout where a Context Lookup such as $${ctx:loginId} are NOT used in logging configuration.
Otherwise, the CVSS score is 7.5 and the severity is high.

On Log4j 2 with custom Pattern Layout with Context Lookups such as $${ctx:loginId}, updating its version to 2.17.0 is recommended to fix the vulnerability called CVE-2021-45105. It can cause service down.

Alternatively, it can be mitigated to replace Log4j 2 non-default Context Lookups with Thread Context Map patterns (%X, %mdc, or %MDC) or to reduce references to them in configuration,
thanks to The Apache Software Foundation effort and information:
https://logging.apache.org/log4j/2.x/security.html


This post is based on the tweets by my company.

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (3)

Collapse
 
cubikca profile image
Brian Richardson β€’

Unfortunately there's no way of knowing if a third-party vendor has a weird logging configuration and a vulnerable version of Log4j. This makes update #3 now. My company's approach was to block the payload protocols to external hosts first, then focus on finding and patching. This has worked well for us: all logged attempts were blocked and would have used LDAP anyway, which was blocked.

Collapse
 
nabbisen profile image
nabbisen β€’

Exactly. It's available to detect Log4j version and configuration and also update it only when you are able to own it or at least customize.

Thank you for sharing knowledge and effort of your companyπŸ˜ƒ

Collapse
 
Sloan, the sloth mascot
Comment deleted
πŸ‘‹ Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay