Threat Signal Report

Log4j 2.17.0 Released In Response to New Log4j Vulnerability (CVE-2021-45105)

description-logo Description

FortiGuard Labs is aware that the Apache Software Foundation released Log4j version 2.17.0 on December 18th 2021 in response to a new Log4j vulnerability (CVE-2021-45105). This is the third Log4j version Apache released since December 10th 2021. CVE-2021-45105 is identified as a Denial of Service (DoS) vulnerability.


Why is this Significant?

This is significant because CVE-2021-45105 is the latest vulnerability in Log4j that was revealed by Apache. Log4j version 2.17.0 marks the third update made by Apache since December 10th in response to a series of Log4j vulnerabilities with two of them being rated as critical.


What is CVE-2021-45105?

Apache describes CVE-2021-45105 as the following:

"Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack".

A CVSS score of 7.5 and severity of high were assigned to the vulnerability.


What Versions of Log4j are Vulnerable?

All Log4j versions from 2.0-beta9 to 2.16.0.


Has the Vendor Released an Advisory for CVE-2021-45105?

Yes, Apache released an advisory for CVE-2021-45105 on December 18th. See Appendix for a link to Fixed in Log4j 2.17.0 (Java 8).


Has the Vendor Released a Fix for CVE-2021-45105?

Yes, Log4j version 2.17.0 was released on December 18th 2021 to fix the issue.


What is the Status of Coverage?

Based on the available Proof-of-Concept code, exploit attempts are detected by IPS signature "Apache.Log4j.Error.Log.Remote.Code.Execution".


Any Suggested Mitigation?

Apache provided the following mitigation information:


Log4j 1.x mitigation

Log4j 1.x is not impacted by this vulnerability.


Log4j 2.x mitigation

Implement one of the following mitigation techniques:


Java 8 (or later) users should upgrade to release 2.17.0.

Alternatively, this can be mitigated in configuration:


In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).

Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.


Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.