Table of Content
Log4j Vulnerability CVE-2021-45105: What You Need to Know
A third Log4j2 vulnerability was disclosed the night between Dec 17 and 18 by the Apache security team, and was given the ID of CVE-2021-45105.
According to the security advisory, 2.16.0, which fixed the two previous vulnerabilities, is susceptible to a DoS attack caused by a Stack-Overflow in Context Lookups in the configuration file’s layout patterns.
What is this CVE about? What can you do to fix it? How does it differ from the previous CVEs?
Distinguishing Between CVE-2021-45105 and Previous Log4j CVEs
After disabling the JNDI functionality altogether, and removing the message lookup feature, 2.16.0 was thought to be unaffected by any further exploits using the Lookups in general.
However, although it prevented Remote Code Execution (RCE) and even Local Code Execution (LCE) exploits from taking place, it did not address crafted input that could manipulate the Context Lookup functionality into rendering an infinite recursion, the last leading to a stack-overflow and crash.
