Blumira CTO Matthew Warner explained that ,”There is no evidence of active exploitation at this time. This vector significantly broadens the attack surface and can have an impact on services running as localhost that are not exposed to the network. With this newly discovered attack vector, anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability.”
While the problem can be fixed by updating all local development and internet-facing environments to Log4j 2.16.0, Apache released version 2.17.0 on Friday, which fixes a denial-of-service (DoS) vulnerability tracked as CVE-2021-45105 (CVSS score: 7.5), making it the third Log 4j2 flaw to be discovered after CVE-2021-45046 and CVE-2021-44228.
The complete list of flaws discovered to date in the logging framework after the original remote code execution bug was disclosed is as follows —
- CVE-2021-44228 (CVSS score: 10.0) – A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
- CVE-2021-45046 (CVSS score: 9.0) – An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
- CVE-2021-45105 (CVSS score: 7.5) – A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
- CVE-2021-4104 (CVSS score: 8.1) – An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)
Jake Williams, CTO and co-founder of incident response firm BreachQuest, “Similar to Log4j, the original PrintNightmare vulnerability disclosure this summer resulted in the discovery of multiple additional distinct vulnerabilities. The discovery of new vulnerabilities in Log4j should not raise concerns about the security of the software as a whole. Log4j is actually more secure as a result of the extra attention paid by researchers.”
Romanian cybersecurity firm Bitdefender indicating that more than half of the attacks use the Tor online privacy service to mask their true origins.
Martin Zugec, technical solutions director at Bitdefender reported that ,”threat actors using Log4j are routing their attacks through machines closer to their intended targets, and just because we don’t see countries commonly associated with cybersecurity threats at the top of the list doesn’t mean that attacks did not originate there.
According to telemetry data gathered between December 11 and December 15, Germany and the United States accounted for 60% of all exploitation attempts. During the observation period, the most common attack targets were the United States, Canada, the United Kingdom, Romania, Germany, Australia, France, the Netherlands, Brazil, and Italy.
Google’s James Wetter and Nicky Ringland Analysed that ,”Account holders’ lack of visibility into their dependencies and transitive dependencies has made patching difficult; it has also made determining the full blast radius of this vulnerability difficult.” After release of information, 2,620 of the impacted packages had already been fixed.
Finally Willaims Concluded that “It will likely take some time before we understand the full ramifications of the log4j vulnerability, but that’s only because it’s embedded in so much software. This has nothing to do with malicious threat actors. It has to do with the difficulty in locating the library’s numerous embeddings. The vulnerability itself will grant threat actors initial access, allowing them to later perform privilege escalation and lateral movement – this is where the real risk lies.”