Details of CVE-2021-44228 & CVE-2021-45046, the two new Log4j vulnerabilities affecting millions of devices

On December 10, the detection of a critical vulnerability in the Log4j utility, developed by the Apache Software Foundation and whose exploitation has generated problems for thousands of online implementations, was announced.

Tracked as CVE-2021-44228 and dubbed Log4Shell, this flaw would allow threat actors to send a snippet of malicious code that registers in Log4j v2.0 and earlier, allowing full access to the affected system and the ability to execute code remotely.

While online deployment managers and software developers continue to grapple with this flaw, cybersecurity specialists report the detection of two new vulnerabilities associated with this utility that could put millions of deployments around the world at risk.

Incomplete patches

According to a report by Cyber Kendra, on Tuesday the finding of CVE-2021-45046 was confirmed, an error derived from the incorrect implementation of a patch to address the previous flaw, specifically in the correction of errors in certain non-default configurations.

In more detail, the researchers mention that mitigating the previous flaw required upgrading to the latest available version of Log4j (v2.15); however, this update still left thousands of systems vulnerable to remote code execution (RCE) attacks if only the noMsgFormatLookups flag was enabled or if %m{nolookups} was configured when setting data to ThreadContext with attacker-controlled data.

Threat actors with control over thread context map (MDC) input data when registry settings use a non-default pattern layout with a context lookup or thread context map pattern could create malicious input data using a JNDI search pattern, resulting in a denial of service (DoS) condition.

Fully fixing this flaw requires updating Log4j to v2.16.0.

A third flaw appears

On the other hand, this week researchers from the security firm Praetorian revealed the detection of a third vulnerability in Log4j v2.15.0 whose exploitation would allow threat actors to extract sensitive data in certain circumstances.

The researchers did not share great technical details about the flaw, but say that their findings have already been presented to the Apache Foundation, so they recommend users of affected implementations to upgrade to v2.16.0 as soon as possible, although it is not known with certainty if this version is immune to the exploitation of this new vulnerability, which has not received CVE tracking key.

This week, CloudFlare and Microsoft detected multiple threat actors exploiting Log4Shell flaws for various purposes, although one of the hacking campaigns that most caught the attention of the cybersecurity community was detected by Bitdefender, whose researchers discovered that a hacking group was exploiting this flaw to infect affected systems with Khonsari ransomware.

Since the emergence of these dangerous flaws, researchers have been trying to find the best possible mitigation methods, plus Log4j developers have been in constant communication with users to keep them abreast of any new security risks related to Log4Shell.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.