Security researchers report vulnerability in log4j library again – IT Pro – News

Security researchers report that they have again found a vulnerability in Java feature log4j that allows remote code execution. According to the researchers, the new vulnerability partially negates the update against the Log4Shell vulnerability.

Write in a blog post researchers at LunaSec that it doesn’t mean that updating log4j makes no sense at all, but that there is a chance that users are still vulnerable to Log4Shell, even if their systems have version 2.15.0 installed. In the description of the new vulnerability, CVE-2021-45046, states that update 2.15.0 does not fully protect, causing denial of serviceattacks are still possible. That’s why 2.16.0 of log4j was released quite soon after 2.15.0.

The researchers write that in addition to a DOS attack, also remote code execution is possible. They say it is a bit difficult to understand, but the bottom line is that the fix that is supposed to fix Log4Shell does not work properly in certain default configurations of log4j, allowing attackers to gain access to the systems. The temporary mitigations to protect against Log4Shell in versions 2.7.0 to 2.14.1 of log4j also do not protect against this vulnerability, they say.

In tests conducted by the researchers, it appears that the institution %m{nolookups} does not protect against Log4Shell and that remote code execution is still possible if the noMsgFormatLookups-flag is set. According to the researchers, logic to disable JNDI lookups can be bypassed through these settings, making the system vulnerable. The researchers recommend that you update to version 2.16.0 as soon as possible, because this message lookup patterns disables and disables standard JNDI functionality.

–