One assumption about the 10 out of 10, extremely severe, you must fix right now Log4j security vulnerability was that it was limited to exposed vulnerable servers.
That may now be an incorrect assumption.
The security company Blumira claims to have found a new Log4j attack vector:
Previously, we understood that the impact of Log4j was limited to vulnerable servers. This newly-discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability. At this point, there is no proof of active exploitation.
This vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network.
The client itself generally has no direct control over these WebSocket connections, which can silently initiate when a webpage loads. WebSocket connections within the host can be difficult to gain deep visibility into, which increases the complexity of detection for this attack.
Blumira suggests users “update all local development efforts, internal applications, and internet-facing environments to Log4j 2.16 as soon as possible, before threat actors can weaponize this exploit further”. This news makes this vulnerability which was already one of the worst ever seen, absolutely devastating.
Happy holidays sysadmins.