Log4j vulnerabilities at midweek.

A second vulnerability in Log4j is identified (and fixed).

A second vulnerability in Apache Log4j has been discovered. Unlike its Log4shell cousin, it hasn't as we go to press received a catchy nickname yet, but MITRE has registered the issue as CVE-2021-45046. MITRE says:

"It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack."

In any case, the flaw is now patched, and organizations should either apply that patch or, if they're using older versions of Log4j, they should disable JNDI functionality. That's in any case the default in the newer, patched versions.

CISA offers an update on Log4shell.

Late yesterday afternoon, and running into the early evening, the US Cybersecurity and Infrastructure Security Agency (CISA) held a phone conference with the media to discuss the current state of risk and remediation surrounding Log4shell. CyberScoop quotes CISA’s Executive Assistant Director Eric Goldstein to the effect that, "Certainly given the nature of this vulnerability, the triviality of exploitation, the ubiquity of the presence across enterprise, consumer and IoT [internet of things] products — really, our broad focus here is driving mitigation across the board, recognizing that malicious cyber actors of all types may decide to use this vulnerability to achieve a variety of attack types or drive a variety of malicious ends,” 

In some respects Goldstein offered reassurances that exploitation had so far been not as consequential as it might have been, but that this was no grounds for complacency. "At this point in time, we are not seeing widespread, highly sophisticated damaging intrusion campaigns," ABC News quotes him as saying, "but certainly we are deeply concerned about the prospects of adversaries using this vulnerability to cause real harm and even impacting national critical functions, which is why we have such a sense of urgency at CISA and across the cybersecurity community to drive urgent mitigation and adoption of controls wherever we can." 

On balance, however, as Reuters reports, CISA thinks most of the activity has been scaning and cryptojacking, and that it hasn't confirmed industry reports of more damaging activity.

And more consequential exploitation seems to have begun.

Those industry reports are warning of both nation-state activity and more sophisticated moves from cyber gangland.

We've seen, as the Record notes, that Log4shell has been exploited to distribute ransomware. It's also now being used by nation-state espionage services. Microsoft reported yesterday that it's seeing "the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives." Microsoft particularly draws attention to Iran's Phosphorus and China's Hafnium groups as among the nation-state actors that have been using Log4shell against their targets.

Mandiant has also, SecurityWeek reports, seen Iranian and Chinese exploitation in progress. Mandiant thinks more intelligence services will be joining the party soon. The company's vice president of intelligence analysis, John Hultquist, emailed SecurityWeek to tell them,“We have seen Chinese and Iranian state actors leveraging this vulnerability, and we anticipate other state actors are doing so as well, or preparing to. We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting.”

The criminal-to-criminal market has also taken note, and Microsoft has seen access brokers working to monetize the vulnerability: "MSTIC and the Microsoft 365 Defender team have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks. These access brokers then sell access to these networks to ransomware-as-a-service affiliates. We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms."

Useful resources.

The basic advice about handling the vulnerability has remained stable. Both ESET and Fastly, to take two of the many security firms who've published recommendations, emphasize the importance of determining where the Log4shell vulnerability exists in an organization, and of then applying the available patches. BleepingComputer is offering a list of affected products along with vendor advice on mitigation, and SecurityWeek is maintaining a current list of tools and resources for defenders.

More recent observations concerning Log4shell.

Ami Luttwak, CTO at Wiz, wrote, “Wiz research shows that more than 89% of all environments have vulnerable Log4j libraries. And in many of them, the dev teams are sure they have zero exposure — and are surprised to find out that some third-party component is actually built using Java. “The real race last weekend wasn’t F1," Luttwak's colleague, Wiz CEO Assaf Rappaport added. "Security teams worldwide were racing hackers on log4shell, and it’s asymmetrical warfare. The good guys need to be armed with the best tools.”

And, finally, spare a thought for the Apache volunteers working their end of this problem. The Apache Software Foundation is, the Wall Street Journal reminds us, a US 501(c)(3) not-for-profit, and dependent on its volunteers. Their work is invaluable. Self-described "cybersecurity pleb" and DoublePulsar editor Kevin Beaumont, who tweets under the handle @GossiTheDog, has been following the Log4shell incident with bemused interest. He summed things up yesterday with an askance look at some of the freewheeling history of open-source development: "[B]asically the perfect ending to cybersecurity in 2021 is a 90s style Java vuln in an open source module, written by two volunteers with no funding, used by large cybersecurity vendors, undetected until Minecraft chat got pwned, where nobody knows how to respond properly." (Nicely woofed; good doggy.)