CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105: Frequently Asked Questions About Log4Shell and Associated Vulnerabilities

As new developments continue to occur, including new CVE’s impacting Apache Log4j, we have released a new blog post to help clarify these new CVE’s and their impact. Fortunately these latest vulnerabilities have each come with a caveat of being exploitable in non-default configurations, however Apache still recommends updating to the latest available version.

Early this morning, Apache released a new version of Log4j, version 2.17.0. This version was released to address CVE-2021-45105, a Denial of Service vulnerability. According to the advisory, this vulnerability is exploitable when the Log4j is configured in a non-default configuration. For further information on the vulnerability and the mitigation strategies recommended by Apache, please refer to the following security advisory document.

A list of Tenable plugins to identify each of these vulnerabilities can be found here and will continue to be updated as new plugins are released.

For more information about Log4Shell and the associated vulnerabilities impacting the library, please visit our blog. Additionally a dedicated resource page is available to keep up to date on the latest response from Tenable on Log4j: https://www.tenable.com/log4j