Log4j 2.17.0 was released due to security reason. It fixes DoS vulnerability in 2.16.0 and below on v2.
As to the new vulnerability on DoS (denial-of-service), it’s safe with a default Pattern Layout where a Context Lookup such as $${ctx:loginId}
are NOT used in logging configuration.
Otherwise, the CVSS score is 7.5 and the severity is high.
On Log4j 2 with custom Pattern Layout with Context Lookups such as $${ctx:loginId}
, updating its version to 2.17.0 is recommended to fix the vulnerability called CVE-2021-45105. It can cause service down.
Alternatively, it can be mitigated to replace Log4j 2 non-default Context Lookups with Thread Context Map patterns (%X, %mdc, or %MDC) or to reduce references to them in configuration, thanks to The Apache Software Foundation effort and information: https://logging.apache.org/log4j/2.x/security.html
This post is based on the tweets by my company.