Log4j 2: New vulnerability on DoS in 2.16.0 and below

created
( modified )
@scqrinc

Log4j 2.17.0 was released due to security reason. It fixes DoS vulnerability in 2.16.0 and below on v2.

As to the new vulnerability on DoS (denial-of-service), it’s safe with a default Pattern Layout where a Context Lookup such as $${ctx:loginId} are NOT used in logging configuration. Otherwise, the CVSS score is 7.5 and the severity is high.

On Log4j 2 with custom Pattern Layout with Context Lookups such as $${ctx:loginId}, updating its version to 2.17.0 is recommended to fix the vulnerability called CVE-2021-45105. It can cause service down.

Alternatively, it can be mitigated to replace Log4j 2 non-default Context Lookups with Thread Context Map patterns (%X, %mdc, or %MDC) or to reduce references to them in configuration, thanks to The Apache Software Foundation effort and information: https://logging.apache.org/log4j/2.x/security.html


This post is based on the tweets by my company.


Comments or feedbacks are welcomed and appreciated.