Apache Log4j2 2.15.0, as used in Okta On-Prem MFA Agent 1.4.6 (formerly Okta RSA SecurID Agent), contained an incomplete fix for CVE-2021-44228, which could allow attackers under certain conditions to craft malicious input data, resulting in a denial of service (DOS) attack. The new version includes Log4j 2.16.0 which fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
