A new, urgent patch for the near-ubiquitous Java log4j logging library has been released, as the prior one thought to handle the critical Log4Shell vulnerabililty turned out to be incomplete.
Currently, the Log4Shell vulnerability that allows remote code execution and information leakage thanks to directory and domain name system lookups during logging operations is being widely exploited in vulnerable systems.
The initial fix for Log4Shell, version 2.15.0, was found to not address all issues in non-default configuations and could be abused for denial of service attacks through malicious input.
Apache Log4j 2.16.0 is now available. Thanks to the Apache Logging Services Project Management Committee (PMC) for working around the clock to get the release out so quickly!https://t.co/fCVZWwUgN6 #Apache #OpenSource #innovation #community #log4j #security pic.twitter.com/Odhf1xawYl— Apache - The ASF (@TheASF) December 13, 2021
Version 2.16.0 now removes support for message lookup patterns, and disables Java Naming and Directory (JNDI) functionality by default.
Users with releases prior to 2.16.0 can also mitigate against the abovementioned issue by removing the Jndilookup Java class from the path that the application development framework searches.
The Log4Shell vulnerability is being used to plant cryptocurrency miners and ransomware currently, and also used to leak environment variables on cloud services that are unpatched.
It is believed to be one of the most serious vulnerabilities discovered in recent years, and has been in log4j since 2013 when it was added to the logging library as a feature request.