"New Log4j Patch Released to Fix DoS Flaw"

Apache has released a new patch for Log4j to mitigate a high severity vulnerability, as researchers separately found a new attack vector for the Log4Shell bug.  The open-source web server community had previously released a patch to fix the now-infamous CVE-2021-44228 flaw in the popular logging utility.  However, in an update, the researchers admitted that this fix did not address a newly discovered issue in Log4j, which has been given a CVSS score of 7.5.  Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups.  The news comes as researchers at Blumira made a discovery that effectively expands the attack surface for Log4Shell, by enabling Javascript WebSocket connections to trigger the remote code execution bug on unpatched Log4j instances.   The researchers at Blumira stated that previously, they understood that the impact of Log4j was limited to vulnerable servers, but this newly discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability.  The threat from Log4Shell is now so significant that the US Cybersecurity and Infrastructure Security Agency (CISA) on Friday updated its patching deadline for federal agencies from December 24 to "immediately."

Infosecurity reports: "New Log4j Patch Released to Fix DoS Flaw"