Last Thursday, the world learned about an in-the-wild utilization of critical code execution zero-day in Log4J, a logging tool used by virtually every cloud service and enterprise network on the planet. Open source developers quickly released an update that fixed the bug and encouraged all users to install it immediately.
Now, researchers report that there are at least two vulnerabilities in the patch, released as Log4J 2.15.0, and that attackers are actively exploiting one or both of them against real-world targets that have already applied the update. The researchers urge organizations to install a new patch, released as version 2.16.0, as soon as possible to correct the vulnerability, which is detected as CVE-2021-45046.
The earlier fix, researchers said late Tuesday, “was incomplete in certain non-standard configurations” and allowed attackers to perform denial-of-service attacks, which typically make it easy to take vulnerable services completely offline until victims restart their servers or perform other actions.
On Wednesday, researchers at security firm Praetorian said there is an even more serious vulnerability in 2.15.0 – an error in the disclosure of information that could be used to download data from affected servers.
“In our research, we have shown that 2.15.0 can still allow the filtering out of sensitive data under certain circumstances,” wrote Pretoria-based researcher Nathan Sportsman. “We have provided technical details of the issue to the Apache Foundation, but in the meantime, we strongly recommend that customers upgrade to 2.16.0 as soon as possible.”
The researchers released the following video showing their proof-of-concept exploitation in action:
Researchers for the content delivery network Cloudflare meanwhile said on Wednesday that CVE-2021-45046 is now under active use. The company urged people to update to version 2.16.0 as soon as possible.
The Cloudflare post did not say whether attackers only use the vulnerability to carry out DoS attacks, or whether they also exploit it to steal data. Researchers from Cloudflare were not immediately available to clarify. Praetorian researchers were also not immediately available to say whether they are aware of in-the-wild attacks that exploit the data-filtering error. They also did not provide further information about the vulnerability because they did not want to provide information that would make it easier for hackers to exploit it.
A representative of the Apache Foundation, the group that manages Log4J, said they examined the reports from Praetorian and Cloudflare. This story will be updated if new information warrants.