As the Apache Software Foundation (ASF) released another patch for the widely used log library on Friday-version 2.17.0, Log4j problems continue to accumulate, and malicious actors can use the patch to conduct denial of service (DoS) attacks.
Track as CVE-2021-45105 (CVSS score: 7.5). The new vulnerability affects all versions of the tool, from 2.0-beta9 to 2.16.0. This open source non-profit organization released the vulnerability earlier this week to fix the vulnerability that may lead to remote code execution (CVE -2021-45046), which in turn stems from the “incomplete” fix to CVE-2021-44228, also known as the Log4Shell vulnerability.
“Apache Log4j2 versions 2.0-alpha1 to 2.16.0 do not prevent uncontrolled recursion of self-referential lookups,” ASF explain In the revised consultation. “When the log configuration uses a non-default pattern layout with a context lookup (for example, $${ctx:loginId}), an attacker who controls the input data of the thread context mapping (MDC) can make malicious input data lookups that include recursion, resulting in StackOverflowError terminates the process.”
Hideki Okamoto of Akamai Technologies and an anonymous vulnerability researcher are believed to have reported the vulnerability. However, Log4j version 1.x is not affected by CVE-2021-45105.
It’s worth pointing out that the severity score of CVE-2021-45046 was originally classified as a DoS vulnerability, and has since been revised from 3.7 to 9.0 to reflect that attackers can abuse this vulnerability to send specially crafted strings, leading to ” Information leakage and remote code execution and local code execution in all environments” confirmed a previous report by Praetorian security researchers.
The project maintainer also pointed out that the Log4j 1.x version has ended and is no longer supported, and that the security vulnerabilities discovered by the utility after August 2015 will not be repaired. Users are urged to upgrade to Log4j 2 to obtain the latest fixes.
With the release of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Emergency order Federal civilian departments and agencies are required to immediately patch Internet-facing systems to resolve Apache Log4j vulnerabilities before December 23, 2021, on the grounds that these vulnerabilities constitute “unacceptable risks.”
With the emergence of Log4j vulnerabilities, Log4j vulnerabilities have become a profitable attack vector and have become the focus of multiple threat actors, including hackers from China, Iran, North Korea, and Turkey, and Conti ransomware groups. A series of subsequent malicious activities. This marks the first time the vulnerability has been discovered by a sophisticated crime software cartel.
“Current exploits have led to multiple use cases, and the Conti team tested the possibility of exploiting Log4j 2 vulnerabilities through these use cases,” AdvIntel researcher Say“Criminals target specific vulnerable groups Log4j 2 VMware vCenter [servers] Moving laterally directly from the infected network, causing vCenter access to affect the US and European victim networks from pre-existing Cobalt Strike sessions. “
Other tools that exploit the vulnerability include cryptocurrency miners, botnets, remote access Trojans, initial access agents, and a new type of ransomware called Khonsari.Israeli security company Check Point said it recorded 3.7 million exploitation attempts To date, 46% of intrusions have been initiated by known malicious organizations.
