Unfortunately, mitigations related to formatMsgNoLookups and noFormatMsgLookup that were introduced to fix of previous vulnerability doesn’t prevent a new one. In other situations with some specific configuration it may even cause a remote code execution (RCE). For example, it can be used to request various parameters such as the version of the Java environment via $, then an attacker that controls this username can do a recursive lookup that leads to stack overflow error and cause Denial of Service (DoS). Log4j includes a Lookup mechanism that could be used to make requests through special syntax in a format string. Almost all versions of Log4j are vulnerable, from 2.0-beta9 to 2.14.1. If a product uses a vulnerable version of this library with the JNDI module for logging purposes, there is a high possibility that this vulnerability can be exploited. The remote code execution vulnerability CVE-2021-44228 was found in the Apache Log4j library, a part of the Apache Logging Project. Our products protect against attacks leveraging both vulnerabilities, including PoC usage. Kaspersky is aware of PoCs in the public domain and of the possible exploitation of CVE-2021-44228 and CVE-2021-45046 by cybercriminals. However, a bit later it was increased to 9.0 because in some cases attacks based on this vulnerability can lead to remote code execution (RCE). Initial reports said that it can cause Denial of Service (DoS) and only specific non-default configurations are vulnerable, thus its severity was set to low value of 3.7 points. Some time later researchers reported another vulnerability assigned to CVE-2021-45046. A publicly published Proof-of-Concept, as well as the vulnerability’s easy exploitability, make this situation particularly dangerous. If an attacker manages to exploit it on a vulnerable server, they gain the ability to execute arbitrary code and potentially take full control of the system. The threat, also named Log4Shell or LogJam, is a Remote Code Execution (RCE) class vulnerability. Updated CVE-2021-44228 and CVE-2021-45046 summaryĪ couple of weeks ago information security media reported the discovery of the critical vulnerability CVE-2021-44228 in the Apache Log4j library (CVSS severity level 10 out of 10).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |