Second Log4j Flaw Poses a Denial-Of-Service Threat

The internet collapsed last weekend after Log4Shell, a severe zero-day vulnerability in Log4j, an open-source logging framework used in a wide range of Java applications, was discovered. Over the weekend, developers and maintainers hurried to fix as many of their Java programs as possible. The initial line of defense was Log4j itself, which is maintained by the Apache Software Foundation’s Logging Services team.

As the security industry scrambles to prevent and cure a catastrophic zero-day Java library logging bug dubbed Log4Shell (CVE-2021-44228), a second vulnerability affecting Apache Log4j has been uncovered. According to the CVE description, the new vulnerability, CVE 2021-45046, might allow attackers to construct malicious input data via a JNDI lookup pattern, culminating in a denial-of-service (DoS) attack.

The second vulnerability, CVE-2021-45046, is rated 3.7 out of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 to 2.12.1 and 2.13.0 to 2.15.0, which the project maintainers released last week to address a critical remote code execution vulnerability (CVE-2021-44228) that could be exploited to infiltrate and take control of systems.

“The first vulnerability exposed users to the possibility of remote code execution, and because Log4J is so extensively used, it affected a wide range of applications,” says Matthew Gracey McMinn, head of threat research at Cetacea. “As a result, resolving the issue was a top priority. However, it appears that while the initial patch prevents remote code execution, it may not be 100 percent effective if you have a highly customized setup.” The prospect of DoS assaults is the hazard of this new, second vulnerability, he says.