Patch Fixing Log4j Vulnerability Has A Vulnerability…. Oh Boy

There are reports that a patch that fixes the Log4j vulnerability has a vulnerability. Which is mind blowing:

Now, researchers are reporting that there are at least two vulnerabilities in the patch, released as Log4J 2.15.0, and that attackers are actively exploiting one or both of them against real-world targets who have already applied the update. The researchers are urging organizations to install a new patch, released as version 2.16.0, as soon as possible to fix the vulnerability, which is tracked as CVE-2021-45046.

The earlier fix, researchers said on late Tuesday, “was incomplete in certain non-default configurations” and made it possible for attackers to perform denial-of-service attacks, which typically make it easy to take vulnerable services completely offline until victims reboot their servers or take other actions. Version 2.16.0 “fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default,” according to the above-linked vulnerability notice.

On Wednesday, researchers at security firm Praetorian said there’s an even more serious vulnerability in 2.15.0—an information disclosure flaw that can be used to download data from affected servers.

“In our research, we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances,” Praetorian researcher Nathan Sportsman wrote. “We have passed technical details of the issue to the Apache Foundation, but in the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible.”

Well, this is not good. It looks like sysadmins that worked hard to patch all the things have to patch all the things again. And they also have to hope that no further issues are found.

This vulnerability is the gift that keeps on giving.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: