Another Day, Another Log4j Vulnerability – InApps is an article under the topic Software Development Many of you are most interested in today !! Today, let’s InApps.net learn Another Day, Another Log4j Vulnerability – InApps in today’s post !

Read more about Another Day, Another Log4j Vulnerability – InApps at Wikipedia



You can find content about Another Day, Another Log4j Vulnerability – InApps from the Wikipedia website

Dan Lorenc, founder and CEO of the open source security supply chain company Chainguard, joked with me after I said that, “Log4Shell may, with no exaggeration, be the worst IT security problem of our generation” by replying with a Simpsons meme, “worst day of your life so far.

Then, I saw this: CVE-2021-45046, a new Log4j vulnerability, and it wasn’t so funny anymore.

First, the good news. This security problem isn’t anything as bad as the original. The first is going to keep you up at night for weeks, possibly months, to come. Don’t believe me? Just watch, kids.

Where It Came from

This new one arose because while the repairs that addressed CVE-2021-44228, Log4Shell, were good as far as they went, they didn’t go far enough. So, the fixed version, Apache Log4j 2.15.0, was “incomplete in certain non-default configurations.”

That’s not good, but with a CVSS Score: 3.7, moderate severity, that’s much better than Log4Shell’s 10 out of 10 disaster rating.

True, “This could allow attackers… to craft malicious input data using a JNDI [Java Naming and Directory Interface] Lookup pattern resulting in a denial of service (DOS) attack.” But this vulnerability only works with certain non-default configurations. Specifically, if the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data, then an attacker could get control over Thread Context Map (MDC) input data.

Read More:   Value Creation For Private Equity's Tech-Enabled Portfolio Companies

Gotcha! But Never Fear, a Fix Is Available

So that’s not too bad. But there’s a gotcha. Previous Log4Shell mitigations such as setting the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability. So, if you’ve been doing that to avoid Log4Shell, you may still be in trouble.

Fortunately, the Apache Foundation’s developers have already issued a fix, Log4j 2.16.0, for this new problem. This patch removes support for message lookup patterns and disables JNDI functionality by default. You can still mitigate it in earlier (<2.16.0) Log4Shell releases by removing the JndiLookup class from the classpath. For example:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Disabling JNDI Lookup

Does that make you think part of the fix is simply disabling JNDI Lookup functionality? If so, congratulations, you’re right. As the developers said, “The safest thing to do is to upgrade Log4j to a safe version, or remove the JndiLookup class from the log4j-core jar.”

Matt Sicker, Apple software engineer and the Apache Foundation VP of Logging Services, explained further in a mailing list message, “the Log4j team feels that having JNDI enabled by default introduces an undue risk for our users.” Further, “Use of JNDI in an unprotected context is a large security risk and should be treated as such in both this library and all other Java libraries using JNDI.” Well, given what we’ve seen, you can’t argue with that! Therefore, from this version on, JNDI is disabled by default.

That’s good, but I can also see, first, many programs will need to be rewritten to deal with no longer having JNDI access. And two, I wonder what other unsanitized access to JNDI might be hiding in other Java libraries.

But the latter is a worry for another day. Now, if you’ll excuse me, I’m off to download and update everything to Log4j 2.16.0.

Feature Image par kulnor de Pixabay 




Source: InApps.net

Rate this post
As a Senior Tech Enthusiast, I bring a decade of experience to the realm of tech writing, blending deep industry knowledge with a passion for storytelling. With expertise in software development to emerging tech trends like AI and IoT—my articles not only inform but also inspire. My journey in tech writing has been marked by a commitment to accuracy, clarity, and engaging storytelling, making me a trusted voice in the tech community.

Let’s create the next big thing together!

Coming together is a beginning. Keeping together is progress. Working together is success.

Let’s talk

Get a custom Proposal

Please fill in your information and your need to get a suitable solution.

    You need to enter your email to download

      Success. Downloading...