Apache has released a new patch for Log4j to mitigate a high severity vulnerability, as researchers separately found a new attack vector for the Log4Shell bug.
The open-source web server community had previously released a patch to fix the now-infamous CVE-2021-44228 flaw in the popular logging utility.
However, in an update, it admitted that this fix did not address a newly discovered issue in Log4j, which has been given a CVSS score of 7.5.
“Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups,” it explained.
“When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DoS (Denial of Service) attack.”
The news comes as researchers at Blumira made a discovery that effectively expands the attack surface for Log4Shell, by enabling Javascript WebSocket connections to trigger the remote code execution bug on unpatched Log4j instances.
It means that even services running as localhost that aren’t exposed to a network could be impacted.
“Previously, we understood that the impact of Log4j was limited to vulnerable servers. This newly discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability,” said Blumira.
“The client itself generally has no direct control over these WebSocket connections, which can silently initiate when a webpage loads. WebSocket connections within the host can be difficult to gain deep visibility into, which increases the complexity of detection for this attack.”
The threat from Log4Shell is now so great that the US Cybersecurity and Infrastructure Security Agency (CISA) on Friday updated its patching deadline for federal agencies from December 24 to “immediately.