Skip to main content

Apache Log4j Denial of Service Vulnerability

Release Date: 20 Dec 2021 6934 Views

RISK: Medium Risk

TYPE: Web services - Web Servers

TYPE: Web Servers

A vulnerability has been identified in Apache Log4j. A remote attacker can exploit this vulnerability to trigger denial of service on the targeted system.

 

Note:

Only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.


Impact

  • Denial of Service

System / Technologies affected

  • Apache Log4j versions from 2.0-alpha1 to 2.16.0

 

Note:

Non-default Pattern Layout in logging configuration is required to trigger CVE-2021-45105 vulnerability.


Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

  • Java 8 (or later) users should upgrade to release 2.17.0

Alternatively, this can be mitigated in configuration:

  • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
  • Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

 

For Ubuntu

For detail, please refer to the links below:

https://ubuntu.com/security/notices/USN-5203-1


Vulnerability Identifier


Source


Related Link