Patch fixing critical Log4J 0-day has its own vulnerability that’s under exploit

Patch fixing critical Log4J 0-day has its own vulnerability that’s under exploit
Wikimedia Commons/Alex E. Proimos

Last Thursday, the world learned of an in-the-wild exploitation of a critical code-execution zero-day in Log4J, a logging utility used by just about every cloud service and enterprise network on the planet. Open source developers quickly released an update that patched the flaw and urged all users to install it immediately.

Now, researchers are reporting that there are at least two vulnerabilities in the patch, released as Log4J 2.15.0, and that attackers are actively exploiting one or both of them against real-world targets who have already applied the update. The researchers are urging organizations to install a new patch, released as version 2.16.0, as soon as possible to fix the vulnerability, which is tracked as CVE-2021-45046.

The earlier fix, researchers said on late Tuesday, “was incomplete in certain non-default configurations” and made it possible for attackers to perform denial-of-service attacks, which typically make it easy to take vulnerable services completely offline until victims reboot their servers or take other actions. Version 2.16.0 “fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default,” according to the above-linked vulnerability notice.

On Wednesday, researchers at security firm Praetorian said there’s an even more serious vulnerability in 2.15.0—an information disclosure flaw that can be used to download data from affected servers.

“In our research, we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances,” Praetorian researcher Nathan Sportsman wrote. “We have passed technical details of the issue to the Apache Foundation, but in the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible.”

The researchers released the following video that shows their proof-of-concept exploit in action:

Log4j 2.15.0 still allows for exfiltration of sensitive data.

Researchers for content delivery network Cloudflare, meanwhile, said on Wednesday that CVE-2021-45046 is now under active exploitation. The company urged people to update to version 2.16.0 as soon as possible.

The Cloudflare post didn’t say if attackers are using the vulnerability only to perform DoS attacks or if they are also exploiting it to steal data. Researchers from Cloudflare weren’t immediately available to clarify. Praetorian researchers also weren’t immediately available to say if they’re aware of in-the-wild attacks exploiting the data-exfiltration flaw. They also didn’t provide additional details about the vulnerability because they didn’t want to provide information that would make it easier for hackers to exploit it.