The original vulnerability determined in Log4j (CVE-2021-44228) that stunned the world thanks to its seriousness, ease of exploitation, and the magnitude of its effect on the software programs and cloud solutions, is not the only vulnerability present in the Java-based logging utility.
Right after the launch of version 2.15.0 to fix the vulnerability, version 2.15.0 stayed vulnerable particularly to non-default configurations due to an incomplete patch. The most recent vulnerability CVE-2021-45046 was fixed in version 2.16.0 of Log4j. In the beginning, the low severity vulnerability had a CVSS rating of 3.7; however, the severity score turned to critical (CVSS 9.0). This vulnerability was reported as a denial-of-service bug initially, but it was later found that its exploitation can permit data exfiltration along with remote code execution.
According to Apache, in case the logging settings use a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers that could handle the Thread Context Map (MDC) input data could generate malicious input information that comprises of a recursive lookup, bringing about a StackOverflowError that could de-activate the process.
Apache strongly recommended that organizations should upgrade again to version 2.16.0 to avert the latest vulnerability exploitation; though, another vulnerability was already identified, which is CVE-2021-45105. The current vulnerability is a DoS bug having CVSS score of 7.5 (high severity) and affects all Log4j versions which include 2.0-beta9 and 2.16.0.
According to the Apache Software Foundation (ASF), versions 2.0-alpha1 up to 2.16.0 of Apache Log4j2 did not protect out-of-hand recursion from self-referential inquiries. When the logging configurations use a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), it is possible for attackers that could manage the Thread Context Map input data to produce malicious input data that consists of a recursive query, leading to a StackOverflowError that is gonna de-activate the process.
CVE-2021-45105 has been fixed in version 2.17.0. This is now the 3rd Log4j version that is going to be out in 10 days. Get the details about the Log4j vulnerabilities and the latest updates here.