The Log4j saga: New vulnerabilities and attack vectors discovered

The Apache Log4j saga continues, as several new vulnerabilities have been discovered in the popular library since Log4Shell (CVE-2021-44228) was fixed by releasing Log4j v2.15.0.

There’s CVE-2021-45046, a DoS/RCE flaw that was fixed in v2.16.0, then CVE-2021-45105, a DoS hole plugged in v2.17.0. Oh, and there’s CVE-2021-4104, a RCE vulnerability affecting Log4j v1.2, which will not be fixed because the 1.x branch has reached end-of-life.

But these new revelations should not make you panic. While Log4Shell is exploitable in the default configuration of the library, the others are not, and the likelihood of those getting exploited is, according to Tenable‘s Satnam Narang, low.

Security threat analyst Kevin Beaumont concurs:

Log4j hype check – the latest Log4j vulnerability, todays CVE-2021-45105:

– only applies to *non-default* configurations
– would only allow the Java process to terminate, no code execution.

Focus on remediating Log4Shell and do not get caught in the vulnerability hype train.

— Kevin Beaumont (@GossiTheDog) December 18, 2021

There is going to be continued focus on log4j vulns for some time. It is very important to know not every new vulnerability is equal, or likely to be exploited.

— Kevin Beaumont (@GossiTheDog) December 19, 2021

So, if possible, organizations should upgrade all the Log4j instances to v2.17.0 (for Java 8) and v2.12.2 (For Java 7). If that’s not possible, the project maintainers advise removing the JndiLookup class from the classpath.

The CISA has issued on Friday an emergency directive mandating federal civilian executive branch agencies to address Log4j vulnerabilities by December 28, 2021.

Affected products

As some companies elatedly confirm their products are not affected by the flaws because they don’t use the Log4j library, Google has scanned Maven Central, the most significant Java package repository, and found that over 35,000 available Java artifacts depend on the affected log4j code.

“Direct dependencies account for around 7,000 of the affected artifacts, meaning that any of its versions depend upon an affected version of log4j-core or log4j-api, as described in the CVEs. The majority of affected artifacts come from indirect dependencies (that is, the dependencies of one’s own dependencies), meaning log4j is not explicitly defined as a dependency of the artifact, but gets pulled in as a transitive dependency,” James Wetter and Nicky Ringland of Google’s Open Source Insights Team explained.

“At the time of writing, nearly five thousand of the affected artifacts have been fixed. This represents a rapid response and mammoth effort both by the log4j maintainers and the wider community of open source consumers. That leaves over 30,000 artifacts affected, many of which are dependent on another artifact to patch (the transitive dependency) and are likely blocked.”

The Dutch Nationaal Cyber Security Centrum (NCSC-NL) and the CISA are constantly updating their lists of affected products.

Log4j attack vectors

Alternative Log4Shell attack vectors are getting discovered. This one, documented by Blumira researchers, could trigger the RCE on internal and locally exposed unpatched Log4j applications.

According to AdvIntel researchers Vitali Kremez and Yelisey Boguslavskiy, the Conti ransomware gang has started using the Log4Shell bug for lateral movement.

“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J2 exploit. Most importantly, AdvIntel confirmed that the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions,” they shared.

Risk mitigation

Time is of the essence.

“It is only a matter of time until Conti and possibly other groups will begin exploiting Log4j2 to its full capacity. It is recommended to patch the vulnerable system immediately and view the Log4j2 as a ransomware group exploitation vector,” the AdvIntel researchers noted.

Administrators of OT networks should also be actively working on finding and implementing solutions to protect them against exploitation.

The advice for board members that the UK’s National Cyber Security Centre has published on Friday is a helpful primer on what organizations should be doing at the moment.