You can now find Cyber Kendra on Google News!

[Log4Shell] 3rd Vulnerability on Apache Log4j Utility Found

Log4Shell third vulnerability found after CVE-2021-44228 & CVE-2021-45046

Log4Shell Vulnerability

Update:
Today Apache team has released another security update for log4j 2.16.0 which fixes the DoS vulnerability. The DoS flaw in log4j 2.16.0 is been identified as CVE-2021-45105 with the CVSS base score of 7.5. This vulnerability was discovered by Hideki Okamoto of Akamai Technologies and another anonymous vulnerability researcher.

Apache noted Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

Mitigation of CVE-2021-45105 DoS vulnerability

For the mitigation of the DoS vulnerability, the Apache team has released v2.17.0 of the log4j utility. Java 8 (or later) users should upgrade to release 2.17.0. 
Furthermore, this can be mitigated in configuration -
  • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
  • Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
Additionally, Apache notes that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.

This is the third vulnerability (officially recognized) on the Apache Log4j utility, and the vulnerability described on this post which was discovered by Praetorian may be the fourth bug (if officially confirmed).

On December 10, 2021, a critical zero-day on Apache Log4j utility has been surfaced online after which Intenet was on Fire. The vulnerability on Apache Log4j was called "Log4Shell" and can be tracked as CVE-2021-44228. We have first reported that CVE-2021-44228 was reported by the Alibaba cloud security team and provided details of the vulnerability. 

The bug is very easy to exploit and leads to Remote Code Execution on a vulnerable system. Dozens of groups of attackers started scanning the internet to exploit the bug and on 14 December 2021, another vulnerability was reported by iCConsult Kai Mindermann and the Apache team has released the fix of the flaws in Log4j 2.16.0 with the description  "fixes/ patch released for CVE-2021-44228,  log4j2.15.0 was incomplete in certain non-default configurations".

The second flaw on Apache Log4j utility is been tracked as CVE-2021-45046 and was a Denial-of-Service (DoS) flaw. Earlier today, the second Log4j vulnerability (CVE-2021-45046) was upgraded from a CVSS score of 3.7 (limited DOS) to a CVSS score of 9.0 (limited RCE), after the researcher shows the technique to achieve RCE on 2.15.0

Third Security Flaw on Log4j Utility

On December 15, a security firm Praetorian disclosed another vulnerability on Log4j utility. Praetorian found a separate third security flaw inLog4j version 2.15.0 that can "allow for exfiltration of sensitive data in certain circumstances". 

In the meantime, Praetorian has sent all the technical details of the bug to the Apache Foundation but they haven't disclosed more details. They strongly recommend that customers upgrade to 2.16.0 as quickly as possible but it is not clear if this bug has been already addressed in version 2.16.0. At the time of writing, there is no identifier issued to the Praetorian Bug.

Video Poc for Praetorian bug on Apache Log4j

On Tuesday, CloudFlare and Microsoft have observed, attackers exploiting Log4Shell flaws. On the same day, we have reported that hackers are exploiting CVE-2021-44228 to deploy ransomware. After that BitDefender has disclosed the advisory where they observed hackers exploiting vulnerabilities in log4j utility and deploying Khonsari ransomware.

We have a dedicated post for Mitigation and resources for Log4Shell Vulnerability and we recommend to go read that. 

Post a Comment