Apache releases fifth patch this month to close another bug in Log4j

More than one security researchers predicted that the Log4j/Log4Shell vulnerabilities discovered before Christmas would not be the last.

They were right.

Apache has released another security update for the logging library that administrators now must install in their applications. As of Tuesday the latest version of Log4j that should be on systems running Java 8 is 2.17.

This is the fifth vulnerability that has surfaced since December 9.

There is no assurance that this will be the last to be released now that security researchers are increasing their scrutiny of the library.

The latest update version 2.17.0 officially closes the remote code execution vulnerability, named CVE-2021-44832.

Without this patch, an attacker with permission to modify the log4j logging configuration file could use a JDBC appender to build a malicious configuration in which the data source refers to a JNDI URI that can execute remote code. This problem is fixed by limiting the JNDI data source names to the Java protocol.

Researchers at Checkmarx say they discovered and reported on this latest bug, called a deserialization security vulnerability. This vulnerability no longer uses the disabled lookup feature, they said in a blog. "The complexity of this vulnerability is greater than that of the original CVE-2021-44228 because it requires the attacker to take control of the [log4j] configuration (such as the 'logback' vulnerability CVE-2021-42550)."

Unlike logback, says Checkmarx, log4j has the facility to load a remote configuration file or configure the logger via code. As a result, arbitrary code execution can be achieved with a man-in-the-middle attack, a user input ending up in a vulnerable configuration variable, or modifying the log4j configuration file.

Meanwhile, the number of associations that are hit while running vulnerable versions of log4j continues to increase. The Bleeping Computer news site reports that Vietnamese cryptocurrency trading platform ONUS was recently attacked, with the threatening actor demanding US$5 million or so of copied customer data.

After the company refused to pay the ransom, the threat actors put the data of about 2 million ONUS customers for sale on the forums, the report said.

According to the news report, between December 11 and 13 — right after the December 9 warnings went around the world — threat actors successfully exploited the Log4Shell vulnerability on ONUS servers running Cyclos payment software.

While Cyclos released a patch for ONUS on December 13th, that was not fast enough.

Infosec professionals with systems running log4j have been advised to assume that their applications have been compromised even after patching and should scan them for signs of intrusion.

This is a guide to cyber security agencies in Canada, the US, the UK, Australia and New Zealand.