Log4J 0-day critical patch fix has its own vulnerability which is underexploited

Log4J 0-day critical patch fix has its own vulnerability which is underexploited

Wikimedia Commons / Alex E. Proimos

Last Thursday, the world learned about the in-nature exploitation of critical zero-day code execution in Log4J, a logging utility used by just about every cloud service and corporate network on the planet. The open source developers quickly released an update that fixed the flaw and urged all users to install it immediately.

Now, researchers are reporting that there are at least two vulnerabilities in the patch, released as Log4J 2.15.0, and that attackers are actively exploiting one or both of them against real-world targets that have already applied the update. Researchers urge organizations to install a new patch, released as version 2.16.0, as soon as possible to address the vulnerability, which is tracked as CVE-2021-45046.

The previous fix, the researchers said Tuesday night, “was incomplete in some non-default configurations” and allowed attackers to perform denial of service attacks, which usually makes it easier to take vulnerable services offline until victims restart their servers or take other action. Version 2.16.0 “addresses this issue by removing support for message search templates and disabling the default JNDI functionality,” according to the vulnerability notice linked above.

Researchers from security firm Praetorian said on Wednesday there was even more severe vulnerability in 2.15.0 — an information disclosure vulnerability that can be used to download data from affected servers.

“In our research, we have shown that 2.15.0 can still allow the exfiltration of sensitive data under certain circumstances,” wrote Praetorian researcher Nathan Sportsman. “We have forwarded the technical details of the issue to the Apache Foundation, but in the meantime, we strongly recommend that customers upgrade to version 2.16.0 as soon as possible. “

The researchers published the following video which shows their proof of concept feat in action:

Log4j 2.15.0 still allows sensitive data exfiltration.

Researchers from the Cloudflare content delivery network, meanwhile, said wednesday that CVE-2021-45046 is now in active operation. The company urged people to update to version 2.16.0 as soon as possible.

Cloudflare’s post did not say whether attackers are using the vulnerability only to perform DoS attacks or whether they are also exploiting it to steal data. Cloudflare researchers were not immediately available to clarify. The Praetorian researchers were also not immediately available to say if they knew of any attacks in the wild exploiting the data exfiltration loophole. They also didn’t provide additional details about the vulnerability as they didn’t want to provide any information that would make it easier for hackers to exploit it.


Please enter your comment!
Please enter your name here

Trending this Week