Another Java Log4j vulnerability discovered

Another Java Log4j vulnerability discovered

Image:
Another Java Log4j vulnerability discovered

New flaw is much less severe than the Log4jshell vulnerability, but admins are advised to update Log4j once again

A new vulnerability has been discovered in the Log4j Java logging library which also affects the version released last week to patch the flaw known as Log4jshell.

The Apache Foundation rushed out Log4j version 2.15.0 last week after the severe remote code execution flaw Log4jshell (CVE-2021-44228) was discovered in versions 2.00 to 2.14.x.

However, another vulnerability has now been found in the library. The patch in v2.15.0 is "incomplete in certain non-default configurations" according to the US National Institute of Standards and Technology (NIST).

Fortunately, the newly discovered flaw appears to be much less serious than Log4jshell. Nevertheless, says NIST, CVE-2021-45046, which was still awaiting full analysis at the time of writing, "could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout."

The vulnerability affects all versions of Log4j from 2.0 onwards and is a pre-existing flaw, rather than one introduced with the new version.

The Apache Foundation has since released an updated version of Log4j v 2.16.0 to fix the flaw, which is described as being of Moderate severity with a CVSS score of 3.7, as opposed to the 10 out of 10 accorded to Log4jshell.

See also: 'Especially dangerous' Java zero day discovered, same type as used in Equifax breach

The flaw may be less severe, but with all the attention on Log4jshell, and with thousands of attempts to exploit it recorded by security researchers and bespoke toolkits already emerging for that purpose, the concern is that attackers could turn their attention to this new flaw too, possibly being able to launch a denial of service attack.

Therefore, Apache advises admins to update to version 2.16.0 which completely disables the vulnerable message lookups feature and also disables access to Java Naming and Directory Interface (JNDI) by default. JNDI lookups must now be manually enabled explicitly.

The new version also limits the LDAP protocols to only accessing Java primitive objects.

The Log4jshell flaw, which was made public last week, allows attackers to control LDAP and other JNDI related endpoints and then execute arbitrary code loaded from LDAP servers by injecting a special script into the logfile, causing Log4j to attempt to connect to an external source. It is considered to be especially dangerous because the attack is easy to conduct, and because Log4j is used in thousands of high-profile and widely used Java applications.