Fix for Log4J exploit has its own vulnerabilities
Open-source developers released a patch for a severe vulnerability in Apache’s Log4J, and the fix has been discovered to have two vulnerabilities of its own.
According to a report from Ars Technica, the fix allowed attackers to execute denial-of-service attacks, making it easy to take vulnerable services offline until they reboot their servers.
Researchers are encouraging users to update to a new patch — 2.16.0 — as a potential fix for the vulnerability.
They said that the initial fix “was incomplete in certain non-default configurations” and that the new patch “fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default”.
The zero-day exploit was detected on 9 December 2021 by LunaSec and has made organisations such as Apple, Tesla, and Amazon vulnerable to attacks.
The exploit, also known as Log4Shell and tracked as CVE-2021-44228, allows an attacker to inject log messages or message parameters into server logs that load code from a remote server.
IT security company Sophos detected a rapid increase in attacks exploiting Log4J on Sunday, 12 December.
“Since Dec. 9, Sophos has detected hundreds of thousands of attempts to remotely execute code using the Log4Shell vulnerability,” said Sophos senior threat researchers Sean Gallagher.
Gallagher highlighted the severity of the Log4J vulnerability.
“Many software vulnerabilities are limited to a specific product or platform, such as the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange. Once defenders know what software is vulnerable, they can check for and patch it,” he said.
“However, Log4Shell is a library that is used by many products. It can therefore be present in the darkest corners of an organisation’s infrastructure, for example any software developed in-house.”
“Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security,” he added.
Now read: High tech R20 million forensic war room to fight corruption in Joburg
Loading ...