· 2 min readsecurityscience

Log4j Gets a Second Patch While the Geminids Light Up the Sky

Apache ships Log4j 2.16.0 after CVE-2021-45046 exposes gaps in the first fix, and the Geminid meteor shower peaks the same week.

If you thought the Log4j fire drill was over once 2.15.0 went out the door, this week is your reminder that patching under pressure rarely gets everything on the first pass. Apache has now disclosed CVE-2021-45046, a follow-on flaw in the same logging library that the initial fix didn’t fully close. The response is Log4j 2.16.0, released today, and if you’re running any Java service that touched log4j-core in the last week, this is not an optional update.

The short version of what happened: the original CVE-2021-44228 patch restricted JNDI lookups but didn’t eliminate the underlying pattern completely in every configuration. That left room for the new CVE to surface, and Apache’s response this time is blunter than a configuration tweak — 2.16.0 disables message lookup substitution entirely by default and removes support for JNDI-based lookups unless explicitly re-enabled. That’s a much safer default posture than trying to patch around edge cases.

For anyone in ops or security right now, the practical guidance hasn’t really changed from last week, it’s just gotten more urgent: inventory everything, don’t trust “we patched already” as a final answer, and treat 2.15.0 as insufficient. If your org shipped the first fix and considered the incident closed, it isn’t. Go check again. The pattern here — first patch incomplete, second CVE follows within days — is a useful case study in why “patch and move on” doesn’t work for a vulnerability class this deep in a dependency tree. Log4j is embedded in an enormous number of downstream products, many of which bundle their own vendored copies, so the update cycle here is going to keep dragging out well past this week.

A better use for your eyes tonight

Assuming you’ve spent the last several days staring at CVE feeds and dependency graphs, here’s a reason to actually go outside. The Geminid meteor shower is peaking right now, around December 13-14, and it’s widely regarded as the most reliable and prolific shower of the year — under good sky conditions you can see up to 120 meteors an hour. Unlike some showers that are notoriously fickle, the Geminids tend to deliver a consistent show year after year, and they’re active enough that you don’t need to be an astronomy nerd with a telescope to enjoy them. Just get away from city lights, give your eyes twenty minutes or so to adjust, and look generally toward the constellation Gemini, though meteors can streak across any part of the sky.

The Geminids are also a bit unusual among meteor showers in that they’re linked to an asteroid rather than a comet — 3200 Phaethon — which has made them a subject of ongoing curiosity for researchers trying to figure out exactly how a rocky body sheds enough debris to seed a shower this dense.

So: patch your Log4j dependencies, and then go stand outside for half an hour. Good week to do both.

Related posts

On this day in other years

Latest on Daily Signal

All posts →