Apache Rolls Out 3rd Patch to Fix Log4j Vulnerability

Colin Thierry
Colin Thierry Writer
Colin Thierry Colin Thierry Writer

The Apache Software Foundation (ASF) rolled out another patch, version 2.17.0, to combat a new Log4j vulnerability. This vulnerability in the widely used logging library could be potentially exploited by malicious actors to set up a denial-of service (DOS) attack, the ASF announced.

Apache said on its website that the Log4j team has been made aware of a new security vulnerability that they’ve since addressed in Log4j 2.17.0 for Java 8 and up. However, they added that Apache Log4j2 “does not always protect from infinite recursion in lookup evaluation.”

Apache added that Log4j2 versions 2.0 alpha 1 through 2.16.0 did not protect from unrestricted recursions from self-referential lookups. For example, when the logging configuration uses a non-default Pattern-Layout with a Context Lookup, hackers with control over Thread Context Map (MDC) input data can create malicious input data that holds a recursive lookup. This results in a StackOverflowError that will end the process, also known as a DOS attack.

From version 2.17. (for Java 8), Apache said that “only lookup strings in configuration are expanded recursively; in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved.”

In previous updates, Apache added that this issue can be alleviated by ensuring that your logging configuration replaces Context Lookups with Thread Context Map patterns in PatternLayout and by removing references to Context Lookups at their origins from sources external to the application like HTTP headers or user input.

Last week, the Department of Homeland Security and Infrastructure Security Agency (CISA) issued a statement warning of a new cyber vulnerability linked to Log4j that could impact many sectors of the internet.

Log4j is a utility that runs in the background of many common software applications, including cell phones, e-commerce, gaming consoles, and other internet-connected devices. The utility’s wide use and prevalence in company systems over the past few decades makes this vulnerability particularly severe.

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.