A second log4j vulnerability (CVE-2021-45046) was uncovered on Dec. 15 and has already been patched. In the description, it is stated that the original fix to address CVE-2021-44228 “was incomplete in certain non-default configurations.” The release of log4j 2.16.0 fixed the issue by removing support for message lookup patterns, according to the CVE record.

“The safest thing to do is to upgrade Log4j to a safe version or remove the JndiLookup class from the log4j-core jar,” according to the Apache Log4j Security Vulnerabilities page.

The Cybersecurity and Infrastructure Security Agency (CISA) updated its Vulnerability Guidance page to reflect this second vulnerability. In the update, the agency added: “A remote attacker can exploit this second Log4j vulnerability to cause a denial-of-service (DOS) condition in certain non-default configurations. Note: affected organizations that have already upgraded to Log4j 2.15.0 will need to upgrade to Log4j 2.16.0 to be protected against both CVE-2021-44228 and CVE-2021-45046.”

CISA has issued guidance telling vendors and affected organizations to ensure they’ve now updated to 2.16.0 in order to protect from both vulnerability.

The exploits on log4j are officially getting more sophisticated, according to Microsoft, including state-sponsored hackers from China, Iran, North Korea and Turkey.

This includes Chinese state-sponsored group HAFNUIM (of Microsoft Exchange hack fame), which has been using a DNS service “typically associated with testing activity to fingerprint systems,” Microsoft stated.

“The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers,” Microsoft wrote in its security blog.

One of the targets currently includes Minecraft servers, according to Microsoft. Minecraft is a popular sandbox and survival video game which is regarded as the best-selling video game of all time with nearly 140 million monthly active users.

“Microsoft can confirm public reports of the Khonsari ransomware family being delivered as payload post-exploitation, as discussed by Bitdefender. In Microsoft Defender Antivirus data we have observed a small number of cases of this being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader,” Microsoft wrote on its blog post.

Patch Released for Second Log4j Vulnerability

Hot Topics in Cybersecurity Posted by Jen Greco on Dec 16, 2021