15 December 2021

Second Log4j vulnerability discovered, patch already available


Second Log4j vulnerability discovered, patch already available

The Apache Software Foundation (ASF) has released a new fix for the Log4j logging utility after it was found that the previous patch designed to address the recently disclosed CVE-2021-44228 flaw (otherwise known as Log4Shell) “was incomplete in certain non-default configurations.”

“It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability,” Apache said.

The new vulnerability, tracked as CVE-2021-45046, affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. The project maintainers have already released the new version, Log4j 2.16.0, to address the issue. Log4j 2.16.0 fixes the problem by removing support for message lookup patterns and disabling JNDI (Java Naming and Directory Interface) functionality by default.

JNDI is an application programming interface (API) that provides naming and directory functionality to applications written using the Java programming language.

The original flaw (CVE-2021-44228) in Log4j, a Java library for logging error messages in applications, is a remote code injection vulnerability, which exists due to improper input validation when processing LDAP requests and could be abused by threat actors to hijack servers and apps over the internet. The disclosure of the flaw caused a widespread alarm because Log4j is widely used in commonly deployed enterprise systems.

The Dutch National Cyber Security Center released a lengthy list of software affected by CVE-2021-44228.

Furthermore, according to multiple cybersecurity firms, attackers began scanning the internet for vulnerable systems and dropping malware just hours after the vulnerability was publicly disclosed.

“Early reports on December 10th showed merely thousands of attack attempts, rising to over 40,000 during Saturday, December 11th. Twenty-four hours after the initial outbreak our sensors recorded almost 200,000 attempts of attack across the globe, leveraging this vulnerability,” cybersecurity company Check Point reported. “This vulnerability, because of the complexity in patching it and easiness to exploit, seems that it will stay with us for years to come, unless companies and services take immediate action to prevent the attacks on their products by implementing a protection.”


Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024