As though discovering one easily exploited and highly deadly bug in the widely used Java logging library Apache Log4j wasn’t enough, researchers have now found a new vulnerability in Apache’s patch published to prevent it.
Last Thursday, security experts started warning that a weakness in Apache Log4j known as CVE-2021-44228 has been under active attack and could crash the Internet. The vulnerability, named Log4Shell by LunaSec, is a remote code execution (RCE) flaw that’s easy to attack in many services and products. It’s found in the widely used Java logging library.
A cyberattack against Log4Shell was launched almost immediately to release malicious code on servers or clients running the Java version of Minecraft by altering log messages, including content written into chat messages. The attackers then started branching out, creating 60 or larger variations of the initial vulnerability in a single day.
Last Friday, Apache rushed out a patch to solve Log4Shell in Log4j version 2.15.0. According to an Apache.org security alert, researchers have discovered that this update “is insufficient in some non-default settings” and paves the way for denial of service (DoS) attacks in certain circumstances.
As per the alert, the newly found weakness, identified as CVE-2021-45046, might allow attackers to control Thread Context Map (MDC) input data to build malicious input data using a Java Naming and Directory Interface (JNDI) Lookup pattern in some cases, culminating in a DoS attack.
A security expert said that researchers and security experts are still trying to get their brains around the vast and far-reaching ramifications of Log4Shell and the possibility for even more similar issues to be discovered. Similarly, researchers at RiskBased Security said in a blog post that there is already considerable misunderstanding about how many vulnerabilities connected to Log4Shell exist and how they all relate to one another, contributing to the avalanche of information being disclosed about the flaw.
At present, there are three CVEs linked with Log4Shell: CVE-2021-44228, the original zero-day; CVE-2021-45046, the “incomplete fix”; and CVE-2021-4104, a problem uncovered in another Log4j component, JMSAppender, that the RiskBased Security team believes isn’t of considerable significance. Researchers claim that CVE-2021-44228 is “essentially the same vulnerability” and that it is not a new bug at all.
“MITRE and CVE Numbering Authorities (CNA) will assign a second CVE ID in cases of fixes not fully patching an issue,” researchers marked. “This helps some organizations in tracking an issue while introducing confusion to others.”
According to some security experts, although many CVEs have been considered a single vulnerability, this is not the case with Log4Shell. There’s much debate about this currently.
One thing is sure about the growing controversy surrounding Log4Shell: Because the vulnerability’s attack surface is so large, there’s a lot of room for extended and further exploitation.
Whatever happens in the future, the situation is likely to worsen before it improves, as variants of the original exploit continue to emerge and attackers continue to swarm. It means the dust around Log4Shell is unlikely to settle for a long time.