Log4j Vulnerability - Continued

There was second discovery of a new vulnerability on the recent version of log4j 2.15.0.

Denial of Service Attack

If the service or application is vulnerable to DoS attack, then a attacker can block the service or the application by bombarding it with infinite request, which will result in failure of the service because of the overburden resource utilization.

Here is the definition from wikipedia

In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.[1]

In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.[2]

CVE-2021-45046

The Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern is vulnerable to a denial of service attack. It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

This could allow attackers, in some situations, to craft malicious input data using a JNDI Lookup pattern resulting in a DoS attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.

Mitigation

• Java 8 (or later) users should upgrade to release 2.16.0.
  

• Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
  

• Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

So a better approach now to tackle this vulnerability is to upgrade the log4j version to 2.16.0

Please do suggest more content topics of your choice and share your feedback. Also subscribe and appreciate the blog if you like it.