Apache Releases Log4j 2.16.0 to Address Incomplete Fix for CVE-2021-44228

On December 13, Apache released Log4j 2.16.0. This release contained a number of fixes, including hardening tactics to prevent exploitation of CVE-2021-44228, also known as Log4Shell. These hardening tactics include the removal of message lookups as well as disabling JNDI by default. 

On December 14, Apache published an additional update regarding the release of Log4j 2.16.0. In this update, they highlight that the fix for 2.16.0 addresses a new CVE, identified as CVE-2021-45046. According to Apache, the fix for CVE-2021-44228 was incomplete under specific non-default configurations. In such configurations, where a Context Lookup (e.g.: $${ctx:loginId}) or Thread Context Map pattern (e.g.: (%X, %mdc, or %MDC) is used, an attacker that crafts a JNDI lookup using malicious input data would be able to cause a denial of service (DoS) condition on a vulnerable server using Log4j 2. Apache notes that the mitigation for CVE-2021-44228 involving setting the noMsgFormatLookups to true would not mitigate CVE-2021-45046.

Customers are advised to update to the latest version of Log4j 2 to address this DoS vulnerability. If updating is not feasible at this time, Apache recommends removing the JndiLookup class file from the classpath.

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

For more information about Log4Shell, please visit our blog.