Apache Log4j 2.16.0 is now available
Apache Log4j 2.16.0 Is Now Available – Critical Update Required
A new follow-on vulnerability in Log4j has been discovered and fixed in version 2.16.0, addressing CVE-2021-44228 and CVE-2021-45046. If you’re still using version 2.15.0 or earlier, your applications may remain vulnerable in certain non-default configurations.
This is is a follow on from my previous post: Log4J Zero-Day Exploit: Explained with Fixes.
Here’s why this update is critical and what you need to do.
TL;DR
If you’re short on time, here’s the gist:
- Upgrade your Log4j library to version 2.16.0 immediately.
- The newer version completely removes the risky message lookup feature, which was the critical enabler of these exploits.
- Visit the Apache Security Page for the latest updates
Why Version 2.15.0 Isn’t Enough
While version 2.15.0 addressed initial vulnerabilities, it left certain configurations exposed. Specifically, using the Thread Context value in the log message Pattern Layout could still allow exploitation. Version 2.16.0 eliminates this risk by fully removing the message lookup functionality.
Misleading Fixes to Avoid
Not all solutions floating around the community are effective. Avoid relying on the following:
- Updating just the Java version.
- Filtering vulnerabilities using Web Application Firewalls (WAF).
- Modifying the log statement format to
%m{nolookup}.
These approaches won’t fully mitigate the vulnerabilities, so upgrading to version 2.16.0 is your safest bet.
How to Stay Updated
The Log4j exploit has drawn global attention, leading to a flood of information—some of which may be inaccurate. For reliable updates, stick to trusted sources:
- Apache Security Page
- Reputable blogs
What’s Next?
This is an evolving situation, and further updates may arise. Bookmark the Apache Security Page and regularly check for announcements to stay ahead of potential risks.
Leave a Reply