New Log4j Patch Released to Fix DoS Flaw

New Log4j Patch Released to Fix DoS Flaw

Apache has released a new patch for Log4j to mitigate a high severity vulnerability, as researchers separately found a new attack vector for the Log4Shell bug.

The open-source web server community had previously released a patch to fix the now-infamous CVE-2021-44228 flaw in the popular logging utility.

However, in an update, it admitted that this fix did not address a newly discovered issue in Log4j, which has been given a CVSS score of 7.5.

“Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups,” it explained.

“When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DoS (Denial of Service) attack.”

The news comes as researchers at Blumira made a discovery that effectively expands the attack surface for Log4Shell, by enabling Javascript WebSocket connections to trigger the remote code execution bug on unpatched Log4j instances.

It means that even services running as localhost that aren’t exposed to a network could

Read More: