Published on: 20 December 2021
Apache Software Foundation has released a security advisory to address a vulnerability in Apache Log4j. A remote attacker could send a specially crafted request to exploit the vulnerability.
Reports indicate that a proof-of-concept (PoC) code for a new denial of service vulnerability (CVE-2021-45105) in Apache Log4j is publicly available. Although the vulnerability was not a variant of the remote code execution vulnerability (CVE-2021-44228) covered in the High Threat Security Alert (A21-12-05) issued last week, system administrators are advised to take immediate action to patch your affected system/applications due to recent mass scanning and widespread exploitation activities against Apache Log4j.
A successful attack could lead to denial of service on an affected system.
Apache Software Foundation has released new version of the product to address the issue and it can be downloaded at the following URL:
https://logging.apache.org/log4j/2.x/security.html
In addition to in-house and self-developed systems/applications, commercial products and open-source software/libraries may also be affected by the vulnerability. An inexhaustive list of advisories published by product vendors is provided in the table below. It is strongly recommended to consult product vendors if the used software products are affected and corresponding patches/mitigation measures are available. If so, system administrators should apply the patches or follow the recommendations provided by the product vendors to mitigate the risk.
If the security patch could not be applied immediately, administrators of affected systems/applications should follow the recommendations provided by Apache Software Foundation and take immediate actions to mitigate the risks: