A new follow-on log4j vulnerability has been discovered and fixed in 2.16.0

Source: https://www.linkedin.com/posts/the-apache-software-foundation_apache-opensource-innovation-activity-6876303520321040384-csOP

A new follow-on #log4j vulnerability has been discovered and fixed in 2.16.0: (CVE-2021-44228 + CVE-2021-45046) following on from my first post regarding the initial exploit and fixed version 2.15.0

TL;DR: You now need to update your #log4j library to 2.16.0

As you would expect, both sides of the community are active. With that, the previous fixed version 2.15.0 and documented mitigations are still vulnerable in specific non-default configurations, such as using the Thread Context value in the log message Pattern Layout. There is a newer version from apache 2.16.0 that you should upgrade to mitigate this. This more recent version completely removes the message lookup feature, which is the critical enabler of this exploit!

Finally, there is tons of information around the recent #log4j exploits, and some are misleading. Perhaps take your cue from an application security company’s blog post like lunasec

Giving this is an evolving situation still I would not post the latest fixes here instead, please see the official Apache security page for an always up to date fix

Example misleading fixes that would not save you from this log4j exploit 🙂 :
– Updating #Java
– #WAF (Web Application Firewall) filtering
– Simply modifying the log statement format to %m{nolookupzz}

Leave a Reply