Log4j it’s Worsens One More Time !

The issues with Log4j continued to stack up as the Apache Software Foundation (ASF) rolled out yet another patch version 2.17.0 for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service (DoS) attack.

Tracked as CVE-2021-45105 (CVSS score: 7.5), the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution (CVE-2021-45046), which, in turn, stemmed from an “incomplete” fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.

It’s worth pointing out that the severity score of CVE-2021-45046, originally classified as a DoS bug, has since been revised from 3.7 to 9.0, to reflect the fact that an attacker could abuse the vulnerability to send a specially crafted string that leads to information leak and remote code execution in some environments and local code execution in all environments.

The project maintainers also noted that Log4j versions 1.x have reached end of life and are no longer supported, and that security flaws uncovered in the utility after August 2015 will not be fixed, urging users to upgrade to Log4j 2 to get the latest fixes.

The development also comes as the Log4j flaws have emerged as a lucrative attack vector and a focal point for exploitation by multiple threat actors, including nation-backed hackers from the likes of China, Iran, North Korea, and Turkey as well as the Conti ransomware gang, to carry out an array of follow-on malicious activities. This marks the first time the vulnerability has come under the radar of a sophisticated crimeware cartel.