Apache's Log4j Version 2.17.1 Addresses New FlawSecurity Researcher at Checkmarx Discloses Less-Severe RCE Vulnerability
Another Log4j patch has been released by the Apache Software Foundation, the nonprofit that supports Apache's open-source software projects. Its Log4j version 2.17.1 fixes a newly disclosed remote code execution vulnerability tracked as CVE-2021-44832.
The latest flaw is the fifth disclosed in under a month - four around Log4j and another detected in the "logback" framework. All target the easily exploitable, arbitrary remote code execution flaw in the Java-based logging utility - which experts say is present in millions of devices worldwide, or more. Disclosure of the flaw, first reported Dec. 9, immediately sent security teams scrambling to identify vulnerable devices and systems, with subsequent patches from the nonprofit administrators pushed out semi-regularly thereafter.
The new CVE - which carries a CVSS score of 6.6 - or "moderate" - can be exploited in a RCE attack, allowing malicious actors to craft a "configuration using a JDBC Appender with a data source referencing a JNDI (Java Naming and Directory) URI." According to the MITRE Corp.'s CVE directory, 44832 is sufficiently addressed by Apache's latest offering, 2.17.1.
Security Community Weighs In
Yaniv Nizry, a researcher for application security testing firm Checkmarx, reportedly first tweeted about the vulnerability early Tuesday.
In a follow-up blog post, Nizry writes, "The complexity of this vulnerability is higher than the original CVE-2021-44228 since it requires the attacker to have control over the configuration (like the ‘logback’ vulnerability CVE-2021-42550)."
But some security experts have criticized the firm's online disclosure, suggesting that the exploitation was revealed prematurely - and prior to an official alert or advisory being issued.
Security researcher Kevin Beaumont, currently head of the security operations center for Arcadia Group, tweeted about the latest Log4j CVE: "2021 wouldn't be complete without another failed Log4j disclosure in motion during the holiday period again. (Thankfully if it's this one, it's almost no risk in the real world)."
Beaumont says an attacker can only leverage this vulnerability if they can already "modify the Log4j config file."
He says in his tweet thread: "To be absolutely clear, that is a non-issue for 99.999% of situations - if somebody is modifying your Tomcat install, they already own your box. It was discussed almost ten years ago."
In fact, in a separate post, Beaumont advises: "Do not freak out over latest Log4j CVE."
And Casey Ellis, CTO and founder of vulnerability platform Bugcrowd, challenged the disclosure method employed by the Checkmarx researcher in describing the new flaw.
Ellis also says, "It's fairly safe to expect more of these types of vulnerability announcements over the coming weeks." The Bugcrowd CTO adds that updating to Apache's latest version, or mitigating wherever possible, immediately, remains crucial and will help security teams stay current on Log4j. This comes amid reports of active scanning for vulnerable systems and reports of sophisticated threat actors and advanced persistent threats moving on the logging flaw.
Checkmarx did not immediately return Information Security Media Group's request for comment.
Microsoft Launches Log4j Dashboard
Tech giant Microsoft has attempted to stay current on all things Log4j and has launched a new dashboard in its 365 Defender portal, which the company says can help customers identify files, software and devices that could be affected by Log4j. The dashboard also provides guidance on threat management and other tasks associated with mitigating the pervasive threats of CVE-2021-44228.
The dashboard includes a "vulnerability summary" with details of exposure, including the appropriate CVE tracking number, CVSS score and other information, and detects where devices and software have been exposed.
"Scan results may take some time to reach full coverage, and the number of discovered devices may be low at first but will grow as the scan reaches more devices," Microsoft's security blog says.
The new features, first rolled out on Monday, are available now for Windows and a version supporting macOS is currently in the works.
Last week, the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency, along with several international law enforcement partners, issued a joint advisory on the known vulnerabilities in the Apache Log4j software library, urging "any organization using products with Log4j to mitigate and patch immediately" (see: CISA, International Partners Advise All Orgs to Patch Log4j).
The advisory followed CISA's emergency directive, issued Dec. 17, overriding the previous deadline of Dec. 24 to patch for Log4j and instead telling federal agencies and departments to patch or mitigate immediately (see: CISA to Agencies: Patch Log4j Vulnerability 'Immediately').
Commenting on the agencies' joint warning, CISA Director Jen Easterly said, "We implore all entities to protect their networks. CISA is working shoulder to shoulder with our interagency, private sector, and international partners to understand the severe risks associated with Log4j vulnerabilities and provide actionable information for all organizations to promptly implement appropriate mitigations. These vulnerabilities are the most severe that I've seen in my career, and it's imperative that we work together to keep our networks safe."
CISA has created a dedicated Log4j webpage containing technical details, mitigation guidance and other resources. It has also created a community-sourced GitHub repository of affected devices and services.
Check Point, Alibaba
Elsewhere, researchers at the Israeli security firm Check Point recently said they had prevented some 4.3 million attempts to leverage the vulnerabilities - with 46% of those attempts made by "known malicious groups." The firm said more than 48% of corporate networks have seen attempted Log4j exploits.
Check Point also said earlier this month that a known Iranian hacking group, Charming Kitten, aka APT35, has been behind attempts to exploit the Apache flaw - particularly against Israeli targets, including its government and businesses.
The explosive Log4j vulnerability was originally reported to the U.S.-based Apache Software Foundation on Nov. 24, but Chinese regulators are reportedly suspending an information-sharing partnership with Alibaba Cloud Computing, which has been credited with unearthing the vulnerability, over its alleged failure to promptly report and address the flaw with the Chinese government, according to a recent Reuters report.
ISMG Staff Writer Dan Gunderman contributed to this report.