New Log4j vulnerability was found in 2.15.0 which is less dangerous

( modified )

As to Log4j, found and reported was the new vulnerability also in 2.15.0 as CVE-2021-45046. It was fixed in the next 2.16.0 released in 13 Dec 2021. Well, it is less dangerous than one in 2.14.1 and above aka log4shell.

Log4j 2.15.0 was to fix the critical RCE vulnerability, CVE-2021-44228 (log4shell), in 2.14.1 and above.

Although vulnerabilities were found in both, the two are obviously different. The former is caused by Thread Context Map (MDC) and has hard requirements to exploit.

There is CVSS, The Common Vulnerability Scoring System, to assign severity scores to vulnerabilities.

Compared to the CVSS scores Apache published on recent Log4j vulnerabilities, that of CVE-2021-44228 (log4shell) is 10 (the highest, the worst) and that of CVE-2021-45046 in 2.15.0 is 3.7 (lower).

It is easy for attackers to exploit CVE-2021-44228 (log4shell) as it doesn’t have hard requirements. On the contrary, to exploit CVE-2021-45046 in 2.15.0 is not. It’s true both on Log4j have risk but also the two vulnerabilities are very different in terms of security.

By the way, Log4j 2.16.0, released on 13 Dec 2021, disabled all JNDI (Java Naming and Directory Interface) features by default and also removed the message lookups feature in order to prevent more vulnerabilities from being found in the future thanks to Apache Software Foundation.

This post is based on the tweets by my company.

Comments or feedbacks are welcomed and appreciated.