Log4Shell - 3rd Vulnerability on Apache Log4j Utility Found
Update:
Mitigation of CVE-2021-45105 DoS vulnerability
- In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
- Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
This is the third vulnerability (officially recognized) on the Apache Log4j utility, and the vulnerability described in this post which was discovered by Praetorian may be the fourth bug (if officially confirmed).
The bug is very easy to exploit and leads to Remote Code Execution on a vulnerable system. Dozens of groups of attackers started scanning the internet to exploit the bug and on 14 December 2021, another vulnerability was reported by iCConsult Kai Mindermann and the Apache team released the fix of the flaws in Log4j 2.16.0 with the description "fixes/ patch released for CVE-2021-44228, log4j2.15.0 was incomplete in certain non-default configurations".
The second flaw on the Apache Log4j utility is been tracked as CVE-2021-45046 and was a Denial-of-Service (DoS) flaw. Earlier today, the second Log4j vulnerability (CVE-2021-45046) was upgraded from a CVSS score of 3.7 (limited DOS) to a CVSS score of 9.0 (limited RCE), after the researcher shows the technique to achieve RCE on 2.15.0
Third Security Flaw on Log4j Utility
On December 15, a security firm Praetorian disclosed another vulnerability on Log4j utility. Praetorian found a separate third security flaw in Log4j version 2.15.0 that can "allow for exfiltration of sensitive data in certain circumstances".
In the meantime, Praetorian has sent all the technical details of the bug to the Apache Foundation but they haven't disclosed more details. They strongly recommend that customers upgrade to 2.16.0 as quickly as possible but it is not clear if this bug has been already addressed in version 2.16.0. At the time of writing, there is no identifier issued to the Praetorian Bug.
Video Poc for Praetorian bug on Apache Log4j
On Tuesday, CloudFlare and Microsoft observed, attackers, exploiting Log4Shell flaws. On the same day, we reported that hackers were exploiting CVE-2021-44228 to deploy ransomware. After that BitDefender disclosed the advisory where they observed hackers exploiting vulnerabilities in log4j utility and deploying Khonsari ransomware.
We have a dedicated post for Mitigation and resources for Log4Shell Vulnerability and we recommend go read that.
Join the conversation