Log4J patch to fix serious zero-day has its own vulnerability that is already actively exploited

The Log4J exploits that have been plaguing server administrators for the past week continue as the patch issued to block the intrusions appears to have security flaws of its own. Some companies that had already updated to Log4J 2.15.0 have continued suffering attacks from at least one of two new weaknesses found.

Last week, security researchers notified developers that they had discovered an actively exploited zero-day vulnerability in the Apache Struts framework. The flaw was in the Log4J logging utility. The Apache Foundation issued a fix with version 2.15.0 and publicly disclosed the weakness over the weekend.

During the 72 hours after issuing the update, exploiting of the flaw skyrocketed, with researchers tracking up to 100 attacks per minute and nearly a million incidents in total. Large firms, including Apple, Amazon, Cisco, and others, scrambled to patch the hole.

Almost as quickly as systems were installing Log4J 2.15.0, security firms Praetorian and Cloudflare began seeing active attacks in the patched systems. Researchers pinpointed at least two exploits in a new vulnerability tracked as CVE-2021-45046.

One weakness, found on Tuesday, allowed hackers to perform DDoS attacks by manipulating “message lookup patterns” and “JNDI functionality.” Apache has now disabled these by default in Log4J 2.16.0.

Then on Wednesday, Praetorian analysts found another exploit that would allow hackers to exfiltrate data from vulnerable servers. Praetorian posted a proof-of-concept video demonstrating exfiltration on Log4J 2.15.0 (above). Update 2.16.0 takes care of that too.

“In our research, we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances,” noted Praetorian in a warning to upgrade immediately. “We have passed technical details of the issue to the Apache Foundation, but in the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible.”

Security firm Cloudflare said on Wednesday that it is tracking CVE-2021-45046 and has already seen the flaw being actively exploited but did not mention whether the attacks were DDoS, data exfiltration, or both. It too recommends system administrators update to Log4J 2.16.0 ASAP.

Both companies are keeping technical details of the exploits under wraps while industry workers update their systems.