NeuVector Blog Critical Vulnerability in Apache Log4j 2 (CVE-2021-44228)

A critical, high severity vulnerability (CVSS v3.0 10/10 rating) in the Apache Log4j open source Java logging library was disclosed Thursday, December 9 on the foundation's github page. On Wednesday, Dec 15 a new vulnerability CVE-2021-45046 was published and patched, according to this article. This was the result of an incomplete initial patch of CVE-2021-44228 which could be bypassed. On Dec 18 a third vulnerability CVE-2021-45105 was reported and is patched in v2.17.0. Enterprises are advised to immediately assess the likelihood of being affected by this vulnerability and, if potentially affected, to operate under an 'assumed breach' mentality to assess logs and review unusual network activity especially egress connections.[Update 12/20/2021 8:15 am PT] A third Log4j vulnerability has been discovered and patched, CVE-2021-45105, which can result in denial of service (DoS) attacks. This has been rated a high CVSS of 7.5 and is patched in v2.17.0. The NeuVector CVE database to detect all 3 vulnerabilities is v 2.531 and higher.[Update 12/15/2021 7:00 am PT] A new Log4j 2 vulnerability CVE-2021-45046 has been discovered and patched.[Update 12/13/2021 9:00 am PT] Added instructions for blocking this vulnerability with Admission Control rules.[Update 12/13/2021 7:30 am PT] See this post for the SUSE/Rancher statement on this CVE.[Update 12/12/2021 4:00 pm PT] This post is updated to include scan instructions in NeuVector to detect this CVE. Please update to the latest CVE database from NeuVector v2.531 or later to scan for this CVE.