Denial of Service : Apache Log4j 2.x < 2.17.0 DoS Vulnerability (Windows, Dec 2021)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.117846

Categoría: Denial of Service

Título: Apache Log4j 2.x < 2.17.0 DoS Vulnerability (Windows, Dec 2021) - Version Check

Resumen: Apache Log4j is prone to a denial of service (DoS); vulnerability.

Descripción: Summary:
Apache Log4j is prone to a denial of service (DoS)
vulnerability.

Vulnerability Insight:
Apache Log4j2 did not protect from uncontrolled recursion from
self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a
Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map
(MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a
StackOverflowError that will terminate the process.

Affected Software/OS:
Apache Log4j versions 2.0.x through 2.16.0.

Solution:
Update to version 2.3.1, 2.12.3, 2.17.0 or later.

CVSS Score:
4.3

CVSS Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2021-45105
CERT/CC vulnerability note: VU#930724
https://www.kb.cert.org/vuls/id/930724
Cisco Security Advisory: 20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
https://security.netapp.com/advisory/ntap-20211218-0001/
Debian Security Information: DSA-5024 (Google Search)
https://www.debian.org/security/2021/dsa-5024
https://logging.apache.org/log4j/2.x/security.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.zerodayinitiative.com/advisories/ZDI-21-1541/
http://www.openwall.com/lists/oss-security/2021/12/19/1

Copyright Copyright (C) 2021 Greenbone Networks GmbH

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.117846
Categoría:	Denial of Service
Título:	Apache Log4j 2.x < 2.17.0 DoS Vulnerability (Windows, Dec 2021) - Version Check
Resumen:	Apache Log4j is prone to a denial of service (DoS); vulnerability.
Descripción:	Summary: Apache Log4j is prone to a denial of service (DoS) vulnerability. Vulnerability Insight: Apache Log4j2 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. Affected Software/OS: Apache Log4j versions 2.0.x through 2.16.0. Solution: Update to version 2.3.1, 2.12.3, 2.17.0 or later. CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2021-45105 CERT/CC vulnerability note: VU#930724 https://www.kb.cert.org/vuls/id/930724 Cisco Security Advisory: 20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 https://security.netapp.com/advisory/ntap-20211218-0001/ Debian Security Information: DSA-5024 (Google Search) https://www.debian.org/security/2021/dsa-5024 https://logging.apache.org/log4j/2.x/security.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://www.zerodayinitiative.com/advisories/ZDI-21-1541/ http://www.openwall.com/lists/oss-security/2021/12/19/1
Copyright	Copyright (C) 2021 Greenbone Networks GmbH