Another Log4j Vulnerability Discovered

The patch to fix the Log4j vulnerability was incomplete. A new patch, Log4j 2.16.0 has already been released.

A second vulnerability around Apache Log4j was discovered recently after cybersecurity experts spent days attempting to patch or mitigate CVE-2021-44228. 

After the warning and actions from U.S. administration cyber officials concerning hundreds of millions of devices around the globe, which could be exposed to a newly revealed vulnerability on Java-based software Log4j, a security fix was released by the Apache Software Foundation, which manages the Log4j software.

The findings of the new vulnerability, CVE 2021-45046, postulates the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in some non-default configurations.

"This could allow... to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack," reads the CVE description.

Apache Software Foundation has already released a new patch, Log4j 2.16.0, to resolve the issue. Log4j 2.16.0 fixes the problem, notes CVE, by removing support for message lookup patterns and disabling JNDI functionality by default. 

Principal threat hunter at Netenrich, John Bambenek, told ZDNet that the solution to the issue is to disable JNDI functionality completely, which in fact is the default behavior in the latest patch.

Global security company ESET released a map showing where Log4j exploitation attempts have been made, with the highest volume happening in the US, and the UK.

Source: ESET

Many organizations are experiencing attacks because of the vulnerability. Security platform Armis have detected log4shell attack attempts in more than a third of its clients. The hackers are targeting physical servers, IP cameras, manufacturing devices, virtual servers, and attendance systems.