Apache Log4j, dubbed CVE-2021-44228, is an open-source logging utility in almost all major Java-based applications and servers. Currently running on 3 billion devices worldwide, Log4j has been exposed to a high-risk vulnerability underactive and vigorous exploitation.
A new vulnerability has been identified in version 2.16 of Apache Log4j dubbed CVE-2021-45105. The vulnerability affects the 2.16 patch that addressed the Remote Code Execution (RCE) vulnerability in versions of Log4j prior to 2.1.16 (CVE-2021-45046 and CVE-2021-44228). While not as critical as the RCE, a threat actor can launch a Denial-of-Service attack against the application, or with locale access, execute commands as seen in the RCE. This vulnerability impacts only log4j-core JAR files. Applications using only log4j-api JAR without log4j-core are not affected.