Log4j saga: the first patch is already being exploited
If you have the Log4j 2.15.0 patch installed, make sure to update to version 2.16.0 immediately.
Less than a week after the global onslaught of what appears to be the zero-day exploit of the year, security researchers are once again ringing the alarm.
According to one report, the security patch that was released as Log4j 2.15.0, itself had at least two vulnerabilities, which attackers are now actively exploiting against targets that have patched their systems.
Needless to say, anyone who has version 2.15.0 installed should immediately update to version 2.16.0 in order to patch the new CVE-2021-45046 security flaw, which is already under active exploitation according to Cloudflare.
The researchers who discovered the flaw note that previous mitigations “do NOT mitigate this specific vulnerability” and that version 2.16.0 "fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.”
Meanwhile, Ars Technica reported on Wednesday that version 2.15.0 suffers from an additional information disclosure flaw that can be exploited in order to exfiltrate stolen data from servers that have the patch installed, according to security firm Praetorian.
“In our research, we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances,” explained Praetorian researcher Nathan Sportsman. While Praetorian reported the issue to the Apache Foundation, the researchers still “strongly recommend that customers upgrade to 2.16.0 as quickly as possible.”
The Log4j exploitation party has only begun
Brett Callow, Threat Analyst at Emsisoft, says that the race to leverage Log4j has only begun. The loot is ripe for taking before all systems are patched, meaning there might be a spike in illicit activities in the coming weeks.
“Threat actors will now be in a race to leverage Log4j before patches are deployed, and some will likely be banking access for later use - meaning we could see a spike in Log4j-related security incidents, including ransomware incidents, in the coming weeks,” Callow claims.
Companies with servers confirmed to be vulnerable to Log4Shell attack include Apple, Amazon, Twitter, Steam, Baidu, NetEase, Tencent, Elastic and likely hundreds if not thousands more.
More from CyberNews
Subscribe to our newsletter