On Friday, the Apache Software Foundation (ASF) released version 2.17.0 of its widely adopted logging library, Log4j, addressing a new vulnerability that malicious actors can exploit for denial-of-service (DoS) attacks. This vulnerability is identified as CVE-2021-45105, rated with a CVSS score of 7.5, and affects all iterations of the tool ranging from version 2.0-beta9 to 2.16.0. Just earlier this week, the ASF released a patch for another weakness—CVE-2021-45046—stemming from an incomplete fix for the notorious Log4Shell vulnerability, tracked as CVE-2021-44228.
According to ASF, “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect against uncontrolled recursion from self-referential lookups.” This flaw allows attackers to exploit improperly configured logging setups by providing malicious input that triggers recursive lookups, leading to a StackOverflowError that forces the termination of affected applications. The updated advisory emphasizes the risks posed by the vulnerability when a non-default Pattern Layout with a Context Lookup is employed, making systems vulnerable to exploitation through crafted inputs.
The specific vulnerabilities were reported by Hideki Okamoto of Akamai Technologies and an unnamed security researcher. Notably, versions from the Log4j 1.x series are not impacted by CVE-2021-45105. However, the previous vulnerability, CVE-2021-45046, witnessed its severity rating escalate significantly from 3.7 to 9.0, reflecting the potential for information leaks and remote code execution, and indicating a growing risk landscape.
The ASF has highlighted that Log4j versions 1.x have reached their end-of-life status, thereby receiving no support or security updates for issues identified post-August 2015. Users are strongly urged to upgrade to the latest version, Log4j 2, to ensure they receive necessary patches and security enhancements.
This latest patch comes amid increasing scrutiny on the vulnerabilities associated with Log4j, especially as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies to secure their internet-facing systems by December 23, 2021. CISA indicated that these vulnerabilities pose an “unacceptable risk” to federal operations, underscoring the urgency for immediate remedial action.
Exploitation attempts related to the Log4j vulnerabilities have surged, attracting attention from various threat actors, including state-sponsored groups from nations such as China, Iran, North Korea, and Turkey. Notably, the Conti ransomware group is also leveraging these flaws to facilitate a range of follow-on malicious activities. Cybersecurity researchers have noted that the exploitation of these vulnerabilities has become a lucrative strategy for sophisticated crimeware cartels, extending beyond traditional means of attack.
Research conducted by AdvIntel has further revealed that the Conti group has actively sought out specific vulnerabilities in Log4j 2 servers, particularly targeting VMware vCenter installations to achieve lateral movement throughout compromised networks. These utilized techniques suggest a strategic approach to exploitation, employing tactics consistent with the MITRE ATT&CK framework, including initial access, lateral movement, and exploitation of public-facing applications.
Emerging threats from this vulnerability spectrum are not limited to ransomware; they also encompass a diverse array of attack vectors, including cryptocurrency miners, botnets, and advanced remote access tools. According to findings from Israeli security firm Check Point, there have been over 3.7 million exploitation attempts to date, with roughly 46% of these attacks logged as originating from known malicious groups. As the cybersecurity landscape evolves, vigilance and proactive measures remain essential for organizations managing their exposure to these escalating threats.
