As Apache Releases New Patch, Researchers Discover New Log4j Attack Vector


Security researchers have discovered a new attack vector that exploits the Log4j vulnerability as the Apache Foundation released a new patch to address the overall issue.

Discovered At the end of last week by researchers at Blumira Inc., the new attack vector relies on a JavaScript WebSocket connection to trigger remote code execution on unpatched internal and locally exposed Log4j applications.

Previously discovered ways of exploiting Log4j were through vulnerable servers. This attack vector differs in that anyone with a vulnerable version of Log4j on a local machine or private network can browse a website and potentially trigger the vulnerability.

This attack vector greatly expands the attack surface with the ability to trigger the vulnerability through a malicious website. The attack vector can impact even services running as a local host, which have not been exposed to any network.

The researchers noted that there is no evidence of active exploitation, but the client typically has no direct control over WebSocket connections, which can start silently when a web page loads. It can be difficult to gain deep visibility into the WebSockets connection, which increases the complexity of detecting this attack.

“WebSockets have been used in the past to scan ports on internal systems, but this represents one of the first remote code execution exploits relayed by WebSockets,” Jake Williams, Company Co-Founder and CTO incident response. BreachQuest Inc., said SiliconANGLE. “That shouldn’t change anyone’s stance on vulnerability management, however. Organizations should strive to quickly patch and mitigate by preventing outbound connections from potentially vulnerable services where patching is not an option.

John Bambenek, Senior Threat Hunter at an IT Service Management Company Netenrich Inc., noted that while the newly discovered attack vector is important, attackers will likely favor the remote exploit over the local exploit.

“That being said, this news means that relying on the WAF or other network defenses is no longer effective mitigation,” Bambenek added. “Applying fixes is still the most important step an organization can take. “

The emergence of a new attack vector comes as Apache was forced to release a third patch to fix the Log4j vulnerability, called 2.17.0.

Apache says the patch fixes issues in 2.16.0 that did not protect against uncontrolled recursion of self-referential searches. Therefore, the patch failed to protect against CVE-2021-45105, a Log4j denial of service vulnerability.

The continued severity of the Log4j vulnerability continues to receive attention, including from government agencies. After initially warning of the vulnerability on December 14 and ordering all federal agencies to fix it by December 24, the US Department of Homeland Security’s Cybersecurity and Infrastructure Agency released a emergency directive December 17th.

The CISA emergency directive directed all federal, civil and executive agencies to address the Log4j vulnerability. It only applies to government agencies, but CISA strongly recommended that all organizations review the emergency guideline for mitigation advice.

Image: Apache

Show your support for our mission by joining our community of Cube Club and Cube Event experts. Join the community which includes Amazon Web Services and CEO Andy Jassy, ​​Dell Technologies Founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many other luminaries and experts.


Comments are closed.