Much less than a 7 days from the initial disclosure of the large-profile Log4Shell vulnerability, the open source Log4j application has now obtained its second important update.

The Apache Computer software Basis is now advising corporations functioning Log4j to update the logging device to edition 2.16., rather than very last week’s 2.15. make. In contrast to very last week’s update, which limited functions of the susceptible JNDI ingredient, the 2.16. make disables the API fully.

The update is because of to the discovery of CVE-2021-45046, a denial of support flaw that is relevant to the Log4Shell vulnerability that has been dominating headlines all 7 days.

The bug lets an attacker to gain distant code execution on a susceptible method by sending JNDI recommendations by way of malformed input, these as a URL request or password entry.

According to Apache’s notification on CVE-2021-45046, some programs that experienced installed the 2.15. update had been even now susceptible to denial of support attacks when, beneath certain configurations, a denial of support can be triggered by way of a malformed JNDI request.

What is worse, protection distributors believe that the flaw will also allow for attackers to subvert the mitigations that had been encouraged for unpatched programs. LunaSec claimed that Log4j versions twelve.14 that had been provided the earlier-posted mitigation processes (rather than an outright update) would be subject matter not just to DoS, but to whole distant code execution attacks.

“Luckily, the scope of this is less due to the fact it needs that any individual sets the ThreadContext in order to exploit this,” LunaSec CEO Totally free Wortley instructed SearchSecurity. “Even so, I’m sure that even now exists in creation at several spots.”

There is also a new report that the 2.15. update does not entirely take care of Log4Shell. Protection seller Praetorian claimed that the vulnerability could even now be exploited to exfiltrate knowledge from an application functioning Log4j 2.15.. The scientists note that updating to 2.16., where JNDI is disabled by default, helps prevent the attack.

Praetorian also released a evidence of idea (PoC) demonstration for the attack but did not release complex specifics for the PoC. The company advisable that customers upgrade to 2.16. instantly.