Apache Log4j Denial of Service Vulnerability

Release Date: 20 Dec 2021 6745 Views

RISK: Medium Risk

Medium Risk

TYPE: Web services - Web Servers

TYPE: Web Servers

A vulnerability has been identified in Apache Log4j. A remote attacker can exploit this vulnerability to trigger denial of service on the targeted system.

 

Note:

Only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

Impact

  • Denial of Service

System / Technologies affected

  • Apache Log4j versions from 2.0-alpha1 to 2.16.0

 

Note:

Non-default Pattern Layout in logging configuration is required to trigger CVE-2021-45105 vulnerability.

Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

  • Java 8 (or later) users should upgrade to release 2.17.0

Alternatively, this can be mitigated in configuration:

  • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
  • Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

 

For Ubuntu

For detail, please refer to the links below:

https://ubuntu.com/security/notices/USN-5203-1

Vulnerability Identifier

Source

Related Link

Related Tags

ApacheDenial of Service

Share with

Previous

IBM WebSphere Application Server Multiple Vulnerabilities

20 Dec 2021 5261 Views

Next

Oracle Java SE and Apache Log4j product Remote Code Execution Vulnerability

10 Dec 2021 16760 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY