Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="MJ Shoer" data-source="post: 2490" data-attributes="member: 3"><p><h3><span style="color: rgb(184, 49, 47)"><strong>Severity: High</strong></span><strong> <span style="color: rgb(65, 168, 95)">TLP: Green</span> Second log4j Vulnerability Discovered, Patch to version 2.16</strong></h3><p><strong>Tags</strong></p><ol> <li data-xf-list-type="ol"><strong>Cybercriminal Attack</strong></li> </ol><p><strong>Summary:</strong></p><p>A second vulnerability involving Apache Log4j was found on Tuesday after cybersecurity experts spent days attempting to patch or mitigate CVE-2021-44228.</p><p></p><p>The description of the new vulnerability, CVE 2021-45046, says the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was "incomplete in certain non-default configurations."</p><p></p><p>"This could allow attackers... to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack," the CVE description says.</p><p></p><p><strong>Analyst Comments:</strong></p><p>This is not the first time an incomplete patch has been released for a critical vulnerability. This can be a headache for patching because the swath of devices and systems that may using this particular piece of software. Teams will have backtrack and patch again, after the previous recommendation was to upgrade versions to 2.15, this is unfortunate news.</p><p></p><p>"Apache has already released a patch, Log4j 2.16.0. The CVE says Log4j 2.16.0 fixes the problem by removing support for message lookup patterns and disabling JNDI functionality by default. It notes that the issue can be mitigated in prior releases by removing the JndiLookup class from the classpath, (<a href="https://isc.sans.edu/diary/rss/28134" target="_blank">ICSSANS, 2021</a>)."</p><p></p><p>Since the release of the original vulnerability researchers have said that they have observed "At least a dozen groups are using the vulnerabilities so immediate action should be taken to either patch, remove JNDI, or take it out of the classpath, (<a href="https://logging.apache.org/log4j/2.x/download.html" target="_blank">Apache, 2021</a>)."</p><p></p><p><strong>MItigation:</strong></p><p>Apache has released another update, version 2.16, available here:</p><ul> <li data-xf-list-type="ul"><a href="https://logging.apache.org/log4j/2.x/download.html" target="_blank">https://logging.apache.org/log4j/2.x/download.html</a></li> </ul><p>Sources:</p><p><a href="https://logging.apache.org/log4j/2.x/download.html" target="_blank">Log4j – Download Apache Log4j 2</a></p><p><img src="https://www.zdnet.com/a/img/resize/96b9f4a3c94da63021f0e525bb14bc7c2aa6bdb4/2020/04/08/a9e15019-0a6a-43f4-bee3-788974226e9f/hacking-campaign-puts-linux-servers-at-r-5e8d9c028daa9002f4e1cedb-1-apr-08-2020-12-05-13-poster.jpg?width=770&height=578&fit=crop&auto=webp" alt="www.zdnet.com" class="fr-fic fr-dii fr-draggable " style="" /></p><h3><a href="https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/" target="_blank">Second Log4j vulnerability discovered, patch already released | ZDNet</a></h3><p>Apparently the patch for the first vulnerability was "incomplete."</p><p><img src="https://www.zdnet.com/a/fly/bundles/zdnetcss/images/logos/logo-192x192.png" alt="www.zdnet.com" class="fr-fic fr-dii fr-draggable " style="" /> <a href="http://www.zdnet.com" target="_blank">www.zdnet.com</a></p><p><a href="https://www.debian.org/security/2021/dsa-5020" target="_blank">Debian -- Security Information -- DSA-5020-1 apache-log4j2</a></p></blockquote><p></p>
[QUOTE="MJ Shoer, post: 2490, member: 3"] [HEADING=2][COLOR=rgb(184, 49, 47)][B]Severity: High[/B][/COLOR][B] [COLOR=rgb(65, 168, 95)]TLP: Green[/COLOR] Second log4j Vulnerability Discovered, Patch to version 2.16[/B][/HEADING] [B]Tags[/B] [LIST=1] [*][B]Cybercriminal Attack[/B] [/LIST] [B]Summary:[/B] A second vulnerability involving Apache Log4j was found on Tuesday after cybersecurity experts spent days attempting to patch or mitigate CVE-2021-44228. The description of the new vulnerability, CVE 2021-45046, says the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was "incomplete in certain non-default configurations." "This could allow attackers... to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack," the CVE description says. [B]Analyst Comments:[/B] This is not the first time an incomplete patch has been released for a critical vulnerability. This can be a headache for patching because the swath of devices and systems that may using this particular piece of software. Teams will have backtrack and patch again, after the previous recommendation was to upgrade versions to 2.15, this is unfortunate news. "Apache has already released a patch, Log4j 2.16.0. The CVE says Log4j 2.16.0 fixes the problem by removing support for message lookup patterns and disabling JNDI functionality by default. It notes that the issue can be mitigated in prior releases by removing the JndiLookup class from the classpath, ([URL='https://isc.sans.edu/diary/rss/28134']ICSSANS, 2021[/URL])." Since the release of the original vulnerability researchers have said that they have observed "At least a dozen groups are using the vulnerabilities so immediate action should be taken to either patch, remove JNDI, or take it out of the classpath, ([URL='https://logging.apache.org/log4j/2.x/download.html']Apache, 2021[/URL])." [B]MItigation:[/B] Apache has released another update, version 2.16, available here: [LIST] [*][URL]https://logging.apache.org/log4j/2.x/download.html[/URL] [/LIST] Sources: [URL='https://logging.apache.org/log4j/2.x/download.html']Log4j – Download Apache Log4j 2[/URL] [IMG alt="www.zdnet.com"]https://www.zdnet.com/a/img/resize/96b9f4a3c94da63021f0e525bb14bc7c2aa6bdb4/2020/04/08/a9e15019-0a6a-43f4-bee3-788974226e9f/hacking-campaign-puts-linux-servers-at-r-5e8d9c028daa9002f4e1cedb-1-apr-08-2020-12-05-13-poster.jpg?width=770&height=578&fit=crop&auto=webp[/IMG] [HEADING=2][URL='https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/']Second Log4j vulnerability discovered, patch already released | ZDNet[/URL][/HEADING] Apparently the patch for the first vulnerability was "incomplete." [IMG alt="www.zdnet.com"]https://www.zdnet.com/a/fly/bundles/zdnetcss/images/logos/logo-192x192.png[/IMG] [URL="http://www.zdnet.com"]www.zdnet.com[/URL] [URL='https://www.debian.org/security/2021/dsa-5020']Debian -- Security Information -- DSA-5020-1 apache-log4j2[/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu