The new vulnerability, CVE-2021-45046, allows attackers to launch denial-of-service (DoS) attacks. It comes after the Apache Software Foundation (ASF) revealed that the original fix for the remote code execution bug — CVE-2021-44228 aka Log4Shell — was “incomplete in certain non-default configurations.” Since then, the problem has been fixed in Log4j version 2.16.0.
Cloudflare, a provider of web infrastructure confirmed on Wednesday that threat actors are actively attempting to exploit a second bug discovered in the widely used Log4j logging utility making it critical that customers install the latest version as a barrage of attacks continues to pummelled unpatched systems with a variety of malware.
Cloudflare’s Andre Bluehs and Gabriel Gabor warned. “Anyone using Log4J should update to version 2.16.0 as soon as possible, even if you have previously updated to 2.15.0. This vulnerability is actively being exploited”.
Advanced persistent threat groups from China, Iran, North Korea, and Turkey, including Hafnium and Phosphorus, have stepped into the fray to operationalize the vulnerability and find and exploit as many vulnerable systems as possible for follow-on assaults. To far, there have been over 1.8 million attempts to exploit the Log4j vulnerability.
According to industrial cybersecurity firm Dragos, “This cross-cutting vulnerability, which is vendor-agnostic and affects both proprietary and open-source software will leave a wide swath of industries vulnerable to remote exploitation, including electric power, water, food and beverage, manufacturing, transportation and more.”
Furthermore, researchers at security firm Praetorian warned of a third security flaw in Log4j version 2.15.0 that could enable for sensitive data exfiltration in certain conditions. To prevent future exploitation more technical details about the problem have been suppressed, but it’s unclear whether this has already been resolved in version 2.16.0.
While it’s common for threat actors to try to exploit newly disclosed vulnerabilities before they’re patched, the Log4j flaw highlights the risks that come with software supply chains when a key piece of software is used across multiple vendors’ products and deployed by their customers all over the world.
Finally the researchers concluded that, “As network defenders cut off more simple exploit vectors and advanced adversaries incorporate the vulnerability in their attacks, more advanced forms of Log4j exploits will develop with a larger possibility of directly hitting Operational Technology networks.“