Security advisories

Log4j Vulnerabilities Update

December 17, 2021 | 1 MIN READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

The Apache Log4j vulnerability CVE-2021-45046 has been elevated from low severity to critical.

On December 17th, Apache updated their advisory stating that “the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

CVE-2021-45046 was initially considered to be a Denial of Service (DoS) vulnerability. New research suggests that exploitation may allow a remote threat actor to achieve Remote Code Execution and steal sensitive data from vulnerable systems under certain conditions.

It is recommended that organizations ensure applications running Log4j are updated to the most recent release (2.17.1).

What we’re doing about it

What you should do about it

Additional information

CVE-2021-45046 impacts all versions of Log4j from 2.0-beta9 to 2.15.0, excluding 2.12.2. eSentire is aware of reports stating that CVE-2021-45046 has been exploited in the wild in Denial-of-Service (DoS) attacks; this activity has not been independently verified at this time.

Regarding remote-code execution, Apache states “remote code execution has been demonstrated on macOS but no other tested environments.”

Recent Log4j Vulnerabilities:

References:

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-45046
[2] https://www.praetorian.com/blog/log4j-2-15-0-stills-allows-for-exfiltration-of-sensitive-data/
[3] https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/

View Most Recent Advisories