After the disastrous Log4j vulnerability disrupted the online world, another vulnerability surfaced online. It turns out that the first patch was ‘incomplete’, and therefore, another Apache Log4j version has been released.
Second Apache Log4j Bug Found
Reportedly, Apache has released another major update for its Log4j code library addressing a serious bug. Identified as CVE-2021-45046, this vulnerability appeared following an incomplete patch of the (now infamous) Log4Shell flaw (CVE-2021-44228).
As stated in the vulnerability description,
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.
Hence, Apache released Log4j version 2.16.0, addressing this vulnerability by removing message lookup patterns support and disabling JNDI by default.
It means that all users with previous versions of Log4j are now exposed to Log4Shell exploits already active globally. This even includes the users who have just updated to the Log4j version 2.15.0.
According to ESET, the US, UK, Germany, Turkey, and the Netherlands have witnessed many exploitation attempts already.
Another report suggested that cybercriminals are exploiting this vulnerability to spread a new ransomware, “Khonsari”.
Besides, Microsoft has warned of state-backed exploitation of this bug by threat actors from China, Iran, Turkey, and North Korea.
Therefore, users should rush to update their apps and systems at the earliest to avoid any unfortunate incident. If updating isn’t possible, researchers have also rolled out a ‘vaccine‘ that exploits the bug to disable vulnerable settings. Hence, users can also try this workaround on vulnerable systems until receiving the updates.