Apache Log4j: Thread Context Message Pattern & Context Lookup Pattern Vulnerability
Denial Of Service attack vector risk in Apache Log4j – specific to Thread Context Message Pattern and Context Lookup Pattern functions
Following on from the Log4j (Log4shell) vulnerability (CVE-2021-44228) announced recently, Apache have released a further update upon the realisation that the patch to v2.15.0 does not cover certain non-default configurations. This new development has highlighted the additional risk of leaving the environment open to Denial Of Service attacks. (CVE-2021-45046)
1) It is recommended firstly that you discover whether the current set-up of your systems using Apache Log4j are configured as per default configuration or if they have been deployed under a bespoke setting. If the latter is the case, then move to patching to Apache Log4j 2.16.0 immediately. If your deployment is standard, then remain with the 2.15 patch to avoid further disruption.
2) It is also recommended to check with the vendor update for specific advice as to the platforms you are operating to confirm their status with these CVEs.
Further information can be found here:
Apache Log4j CVEs : The Apache Software Foundation Blog
Pentesec recommend referring to our previous security advisory on CVE-2021-44228 if you have not already patched to v2.15.0 to mitigate the original vulnerability risk.
Pentesec Security Essentials customers are under continuous monitoring for attempted exploitation.
Pentesec MDR customers are protected with the SentinelOne MDR platform, which will mitigate any attack relating to this CVE.
We are closely monitoring the situation and any further updates will follow.