A second vulnerability impacting Apache Log4j has been discovered as the security industry has scrambled to mitigate and fix a severe zero-day Java library logging flaw (CVE-2021-44228) dubbed Log4Shell. The new vulnerability, CVE 2021-45046, could allow attackers to craft malicious input data using a JNDI lookup pattern resulting in a denial-of-service (DoS) attack, according to the CVE description.
A patch for the new exploit, which removes support for message lookup patterns and disables JNDI functionality by default, has already been released, with the Log4j 2.15.0 fix for the original flaw “incomplete in certain non-default configurations.”
