On Fri., Apache released yet another patch – version 2.17 – for yet another flaw in the well-known log4j logging library, this time for a DoS bug.
The new Log4j vulnerability is similar to Log4Shell because it also affects the logging library, but this DoS flaw has to do with Context Map lookups, not JNDI.
Nastier Mutations
‘Trouble comes in 3s’, & this is the 3rd one for log4j. The latest bug isn’t a variant of the Log4Shell remote-code execution (RCE) bug that’s irritated IT teams since Dec. 10, coming under active attack worldwide within hours of its disclosure, creating even nastier mutations & leading to the potential for denial-of-service (DoS) in Apache’s initial patch.
It does have similarities: The new bug affects the same component as the Log4Shell bug. Both the Log4Shell, tracked as CVE-2021-44228 (criticality rating of CVSS 10.0) & the new bug, tracked as CVE-2021-45105 (CVSS score: 7.5) abuse attacker-controlled lookups in logged data.
Context Map
The difference: The lookups in the new bug, CVE-2021-45105, are Context Map lookups instead of the Java Naming & Directory Interface (JNDI) lookups to an LDAP server that allow attackers to execute any code that’s returned in the Log4Shell vulnerability.
ContextMapLookup allows applications to store data in the Log4j ThreadContext Map & then retrieve the values in the Log4j configuration: E.g., an app would store the current user’s login id in the ThreadContext Map with the key “loginId”.
Input Validation
The problem is linked to improper input validation & uncontrolled recursion that can lead to DoS.
As explained by Guy Lederfein of the Trend Micro Research Team, “the Apache Log4j API supports variable substitution in lookups. However, a crafted variable can cause the application to crash due to uncontrolled recursive substitutions.
An attacker with control over lookup commands (e.g., via the Thread Context Map) can produce a malicious lookup variable, which results in a Denial-of-Service (DoS) attack.”
All Versions of the Tool
This new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16, which Apache released last week to correct the 2nd flaw in the trio. That 2nd bug was the RCE flaw CVE-2021-45046, which, in turn, emerged from Apache’s incomplete fix for CVE-2021-44228, aka the Log4Shell vulnerability.
Lederfein continued: “When a nested variable is substituted by the StrSubstitutor class, it recursively calls the substitute class. However, when the nested variable references the variable being replaced, the recursion is called with the same string.
Infinite Recursion
This leads to an infinite recursion & a DoS condition on the server. For example, if the Pattern Layout contains a Context Lookup of ${ctx.apiversion}, & its assigned value is ${${ctx.apiversion}}, the variable will be recursively substituted with itself.”
The vulnerability has been tested & confirmed on Log4j versions up to & including 2.16, he explained.
Mitigating Factors
Apache has listed mitigating factors, but ZDI recommends upgrading to the latest version to ensure that the bug is completely addressed.
The latest bug & Apache’s new fixes are just the latest news in the ongoing, ever shifting log4j situation. As exploits happen, new vulnerabilities emerge & patches need patching, large tech players such as SAP have been hurrying to track the logging library & to release product patches.
Immediate Patching
On Thur., the US Cybersecurity & Infrastructure Security Agency (CISA) issued an emergency directive mandating US Federal civilian depts. & agencies to immediately patch their internet-facing systems for the Log4j vulnerabilities by Thurs., Dec. 23.
The risk presented by the library’s vulnerabilities is huge, as multiple threat players have used the opportunities to exploit vulnerable systems. As Check Point Research (CPR) highlighted last week, real-life attacks have included a crypto-mining group that launched attacks in 5 countries.
Nation-State Groups
Last week, Microsoft reported that nation-state groups Phosphorus (Iran) & Hafnium (China), as well as unnamed APTs from N. Korea & Turkey, are actively exploiting Log4Shell in targeted attacks.
Hafnium is known for targeting Exchange servers with the ProxyLogon zero-days in March, while Phosphorus – aka Charming Kitten, APT35, Ajax Security Team, NewsBeef & Newscaster – made headlines for targeting global summits & conferences in 2020.
CPR said that ‘Charming Kitten’ had gone after 7 Israeli targets as of Wed.
Conti Ransomware Gang
The Conti ransomware gang is involved too: AdvIntel researchers stated last week that they’re seen Conti operators going after VMware vCenter.
“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilising the Log4j 2 exploit,” the researchers said last week.
“The criminals pursued targeting specific vulnerable Log4j 2 VMware vCenter servers for lateral movement directly from the compromised network resulting in vCenter access affecting US & European victim networks from the pre-existent Cobalt Strike sessions.”
4.3m Attempted Exploits
Last week, a ransomware attack that some suspect may be attributable to the Conti gang forced a family-run chain of restaurants, hotels & breweries, McMenamins, to shut down some operations.
The bugs are also being used by botnets, remote access trojans (RATs), initial access brokers, & a new ransomware strain called Khonsari. As of Mon., CPR warned that it’s seen more than 4.3m attempted exploits, more than 46% of which were made by “known malicious groups.”
More Sleepless Nights
Trend Micro’s Lederfein noted that the log4j element has had been in the vulnerability spotlight, having received “quite a bit of attention” since the Log4Shell vulnerability was revealed 10 days ago. Expect more of the same, he predicted, as “it would not be a surprise to see further bugs disclosed – with or without a patch.”
Tom Garrubba, CISO with Shared Assessments, agreed: “This vulnerability has been keeping a lot of security professionals up at night,” he commented. This Javageddon has even moved up to the C-suite, he outlined, with the vulnerability “keeping a lot of security professionals up at night.”
Affects Many Applications
“Executives & board members are also gaining interest as to how this will affect them as well,” he suggested. “Log4j is used all throughout the Internet & affects many applications & systems with deep roots.”
“The best path you can take right now it’s a stay alert of all patches that are coming out to address this vulnerability & put them into place immediately,” Garrubba advised.
“Sadly, it appears this is going to affect organisation’s continuously into the future as they identify more items that are affected by this vulnerability.”