The issues with Log4j continued to stack up as the Apache Software Foundation (ASF) on Friday rolled out yet another patch — version 2.17.0 — for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service (DoS) attack.
Tracked as CVE-2021-45105 (CVSS score: 7.5), the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution (CVE-2021-45046), which, in turn, stemmed from an “incomplete” fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.
“Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups,” the ASF explained in a revised advisory. “When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.”
Hideki Okamoto of Akamai Technologies and an anonymous vulnerability researcher have been credited with reporting the flaw. Log4j versions 1.x, however, are not affected by CVE-2021-45105.
It’s worth pointing out that the severity score of CVE-2021-45046, originally classified as a DoS bug, has since been revised from 3.7 to 9.0, to reflect the fact that an attacker could abuse the vulnerability to send a specially crafted string that leads to “information leak and remote code execution in some environments and local code execution in all environments,” corroborating a previous report from security researchers at Praetorian.
The project maintainers also noted that Log4j versions 1.x have reached end of life and are no longer supported, and that security flaws uncovered in the utility after August 2015 will not be fixed, urging users to upgrade to Log4j 2 to get the latest fixes.
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Apache Log4j vulnerabilities by December 23, 2021, citing that the weaknesses pose an “unacceptable risk.”
The development also comes as the Log4j flaws have emerged as a lucrative attack vector and a focal point for exploitation by multiple threat actors, including nation-backed hackers from the likes of China, Iran, North Korea, and Turkey as well as the Conti ransomware gang, to carry out an array of follow-on malicious activities. This marks the first time the vulnerability has come under the radar of a sophisticated crimeware cartel.
“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4j 2 exploit,” AdvIntel researchers said. “the criminals pursued targeting specific vulnerable Log4j 2 VMware vCenter [servers] for lateral movement directly from the compromised network resulting in vCenter access affecting U.S. and European victim networks from the pre-existent Cobalt Strike sessions.”
Among the others to leverage the bug are cryptocurrency miners, botnets, remote access trojans, initial access brokers, and a new ransomware strain called Khonsari. Israeli security firm Check Point said it recorded over 3.7 million exploitation attempts to date, with 46% of those intrusions made by known malicious groups.
Leave a Reply