Log4j, a second vulnerability discovered: the patch is already out, to be installed immediately

To compound the already difficult picture regarding the CVE-2021-44228 vulnerability, known as Log4Shell, there is now a second vulnerability also affecting Log4j which can lead in certain situations to create a denial of service (DOS). Log4Shell was initially fixed in Log4j version 2.15.0, but found to be “incomplete in some non-default configurations”. The new vulnerability, cataloged with the code CVE-2021-45046is fixed with Log4j version 2.16.0 released by Apache.

The second vulnerability allows attackers to exploit JNDI Lookup to perform a DOS attack. The most immediate solution, if updates or patches cannot be installed due to service continuity or backward compatibility issues, is to disable the JNDI feature.

Meanwhile, attacks that seek to exploit the Log4Shell vulnerability are spreading rapidly. Security firm ESET has released a map showing the impact of the issue on a geographic basis. The highest number of events occurred in the United States, followed by the United Kingdom, Turkey, Germany and the Netherlands. Roman Kovč, ESET Research Director,commented on the situation: “The volume of our detections confirms that this is a large-scale problem that is not going away anytime soon. exploits are not necessarily malicious. Some may be benign, as researchers, infosec companies and penetration testers also test exploits for defense purposes.”

To better understand the scope of the problem, Check Point Research which, since the discovery of the vulnerability, has recorded more than 1.2 million attempts to identify the vulnerability and attempts to exploit on more than 44% of networks business in the world. At the time of writing, Check Point data is updated as of 3:00 p.m. on December 14.

Bitdefender found instead the exploitation of Log4Shell by government-backed groups and the Khonsari ransomware group. It is a relatively new ransomware and with basic functionality compared to other more sophisticated ransomware as a service. Bitdefender notes that Khonsari is likely a threat actor experimenting with the new attack vector, but also warns that more advanced attackers are trying to exploit the vulnerability. Indeed, in the latter case it is likely that their goal is not so much to find a simple and immediate way to harvest loot, but rather to be able to exploit Log4Shell to obtain persistence on a target network and to be able to prepare a more sophisticated aggressive attack later.

The severity of the situation has led the US CISA to require all civilian federal agencies to patch the Log4j vulnerability by December 24. This is a rather tight deadline, which the CTO of Bugcrowd welcomed, but which could be very difficult for most companies to meet: “They have to find Log4j before they can fix it, and many are still at this stage. found, it is likely to be deeply integrated into existing applications and will require several tests to ensure that a fix won’t break anything else. few days will be hard for many”. Even the The Italian CSIRT has activated a reference page for the Log4Shell vulnerability.

As we have already observed, the spread of Log4j, its close interdependence with other elements, and the ease of exploitation of the Log4Shell vulnerability make the situation particularly serious, creating a truly infinite pool of potential targets. Currently, criminal groups and attackers of all kinds and for all purposes can be expected to attempt to exploit the vulnerability to gain access to anything they have access to, before countermeasures are widely put in place. implemented so that they can carry out attacks even later. The current priority is to reduce exposure by applying appropriate patches (or temporary mitigations where remediation is not possible) and carefully verifying exposed or compromised elements within the infrastructure. We refer to Techsolvency for further information and updates on the situation.