• Products & Services
  • Community & Resources
  • Why ConnectWise
  • Support
Get Started
Explore Business Management
PSA
Professional services automation designed to run your as-a-service business
CPQ
Advanced quote and proposal automation to streamline your quoting
BrightGauge
KPI dashboards and reporting for real-time business insights
ITBoost
Centralized, intuitive IT documentation
Service Leadership
Increase shareholder value and profitability
SmileBack
Customer service feedback for MSPs
WisePay
Payments automation to increase cash flow and streamline processes
Business Management Packages
Curated packages designed to streamline, standardize, and automate your business processes
PSA
Professional services automation designed to run your as-a-service business
CPQ
Advanced quote and proposal automation to streamline your quoting
BrightGauge
KPI dashboards and reporting for real-time business insights
ITBoost
Centralized, intuitive IT documentation
Service Leadership
Increase shareholder value and profitability
SmileBack
Customer service feedback for MSPs
WisePay
WisePay
Payment automation to increase cashflow and streamline processes
Business Management Packages
Optimize your business operations through curated packages designed to streamline, standardize, and automate your business processes
Explore Business Management

See new and upcoming product enhancements in our monthly innovation webinar series!
Register now>>

Explore Cybersecurity
MDR
Monitor and stop malicious activity on endpoints
SIEM
Centralize threat visibility and analysis
SaaS Security
Deliver, manage, and monetize cloud security more easily
Vulnerability Management
Identify cybersecurity risks and routinely scan for vulnerabilities
Access Management
Eliminate shared admin passwords and protect customers
Secure Access Service Edge (SASE)
Apply zero trust secure access for users, locations, and devices
MDR
Monitor and stop malicious activity on endpoints
MDR for Microsoft 365
Monitor, protect, and remediate Microsoft 365 exposures
SIEM
Centralize threat visibility and analysis
Co-Managed SIEM
Deploy 24/7 managed detection and response with SOC services
Vulnerability Management
Identify cybersecurity risks and routinely scan for vulnerabilities
Access Management
Eliminate shared admin passwords and protect customers
Secure Access Service Edge (SASE)
Apply zero trust secure access for users, locations, and devices
Security Dashboard
AI-Driven MSP cybersecurity solutions
Explore Data Protection
SaaS Backup
Safeguard customer cloud app data
Co-Managed Backup
Streamline third-party backup management
x360Recover
Hyper-flexible disaster recovery and business continuity
Cloud Backup
Intelligent data protection for Microsoft 365
x360Cloud
SaaS application data protection
SaaS Backup
Safeguard customer cloud app data
Co-Managed Backup
Streamline third-party backup management
Backup360
Comprehensive MSP backup management
Explore Cybersecurity and Data Protection

See new and upcoming product enhancements in our monthly innovation webinar series!
Register now >>

  • IT Nation

    Industry events and networking

  • ConnectWise

    Peer groups and product training

  • Open Ecosystem

    Top-rated vendors and integrations

  • Resources

    Business-driving insights and guidance

IT Nation
IT Nation Connect
Premier MSP industry conference
IT Nation Secure
MSP cybersecurity industry conference
IT Nation Evolve
Peer groups
IT Nation Grow
Expert guidance for business transition
IT Nation PitchIT
Accelerator program for incubating growth
Wise Up Podcast
Insights and strategies to help your business
IT Nation Europe
Regional MSP industry conference
IT Nation Sydney
APAC MSP Industry Conference
Automation Nation
AI & hyperautomation training
IT Nation Connect
Premier MSP industry conference
IT Nation Secure
MSP cybersecurity industry conference
IT Nation Evolve
Peer groups
IT Nation Grow
Expert guidance for business transition
IT Nation PitchIT
Accelerator program for incubating growth
Wise Up Podcast
Insights and strategies to help your business
IT Nation Europe
Regional MSP industry conference
IT Nation Sydney
APAC MSP Industry Conference
Automation Nation
AI & hyperautomation training
Explore The IT Nation

Join the premier cybersecurity conference for MSPs.
Register Now>>

  • About Us

    Company profile, values, and leaders

  • News

    The latest ConnectWise updates

  • Markets

    Roles and industries we support

The only truly unified platform purpose-built for MSPs.
Learn more >>

  • Partner Support

    ConnectWise solution resources

  • Partner Education

    Certifications and resources

A New New New New Log4J Vulnerability

Yesterday, December 18, 2021, we released an overview of all the Log4j news from the past week (https://www.connectwise.com/resources/log4j-update). At the end of the day yesterday, the Apache Software Foundation released yet another version of Log4j, version 2.17.0, to address yet another vulnerability. The latest vulnerability, CVE-2021-45105 (https://nvd.nist.gov/vuln/detail/CVE-2021-45105), has a CVSS score of 7.5, much better than the 10.0 of the original vulnerability.

This new CVE is caused by improper user validation and results in a potential denial of service attack. I was discussing the list of Log4j vulnerabilities with R.J. McDown (https://twitter.com/beetlechunks), a Senior Security Engineer from the Equinix (https://www.equinix.com/) Red Team who independently ran across what became CVE-2021-45105 simultaneously as it was being reported to Apache by Hideki Okamoto (https://jp.linkedin.com/in/hideki-okamoto-28366769/en-us) of Akamai Technologies (https://www.akamai.com/) and an anonymous vulnerability researcher. According to McDown, “This vulnerability is exploited when an attacker can introduce a specially crafted string into an application that performs a lookup on that string. Current testing has allowed exploitation of this vulnerability in log4j 2.16.0 when the given string is used in the Thread Context Map and the log4j layout pattern references those strings via an explicit lookup.”

According to the Apache Software Foundation’s advisory at https://logging.apache.org/log4j/2.x/security.html:

“Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.”

This bug was originally reported as an issue to Apache’s Jira three days ago, on December 15, https://issues.apache.org/jira/browse/LOG4J2-3230. After several days of discussions and testing it was confirmed that this vulnerability could be used in a DOS attack; however, it does require a very specific edge case, with a non-default configuration option, specifically a non-default “PatternLayout”. With the non-default configuration options in place, and if a few other conditions are met, a string such as "${${::-${::-$${::-j}}}}" could cause infinite recursion, which could result in a Denial of Service. It is important to point out that the risk for this vulnerability is very low, but not zero.

Yesterday, we were recommending everyone upgrade Log4j to version 2.16.0. Today, the recommendation is to upgrade to 2.17.0. Regarding previous JNDI vulnerabilities, CVE-2021-44228 and CVE-2021-45046, Apache did recommend the following command to remove the JndiLookup.class in order to mitigate where an upgrade is not yet possible:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Unfortunately, this latest CVE is not related to JNDI, so none of the previously recommended methods for mitigating the other Log4j vulnerabilities discovered over the past couple weeks will mitigate this latest vulnerability. The only currently known method for completely mitigating all known Log4j vulnerabilities is to upgrade to the latest version, 2.17.0.

References

https://www.connectwise.com/resources/log4j-update

https://www.connectwise.com/resources/major-vulnerability-in-the-most-common-java-logging-module

https://www.connectwise.com/resources/updates-for-log4j-and-december-patch-tuesday

https://nvd.nist.gov/vuln/detail/CVE-2021-45105

https://logging.apache.org/log4j/2.x/security.html

https://issues.apache.org/jira/browse/LOG4J2-3230