Today, a Denial-of-Service (DoS) vulnerability (CVE-2021-45046) was found in the Log4j patch version 2.15. The (remote) code execution vulnerability, which the National Cyber Security Centre (NCSC) discussed in its security advisory NCSC-2021-1052 (in Dutch), has been resolved in both version 2.15 and version 2.16 of Log4j, according to Apache. The NCSC has no information that would cast doubt on this assertion.
The NCSC urgently advises organisations to install a recent version of Log4j.
- If you have version 2.14 or older, update to version 2.16 as soon as possible.
- If you already have version 2.15, the NCSC advises you to update it to version 2.16 if possible.
Our security advisory (NCSC-2021-1052) has been updated to include the most recent information and recommendations.
The NCSC continues to receive reports of limited examples of active misuse. The NCSC advises its partners to regularly consult the most current information on its website.