Security researchers report vulnerability in log4j library again

Security researchers report that they have again found a vulnerability in Java feature log4j that allows remote code execution. According to the researchers, the new vulnerability partially negates the update against the Log4Shell vulnerability.

In a blog post, researchers at LunaSec write that it doesn’t mean that updating log4j is of no use at all, but that there is a chance that users are still vulnerable to Log4Shell even if their systems have version 2.15.0 installed. The description of the new vulnerability, CVE-2021-45046, states that update 2.15.0 does not fully protect, which means that denial of service attacks are still possible. Therefore, 2.16.0 of log4j was released quite soon after 2.15.0.

The researchers write that in addition to a DOS attack, remote code execution is also possible. They say it’s a bit difficult to understand, but the bottom line is that the fix that is supposed to fix Log4Shell doesn’t work properly in certain non-standard configurations of log4j, allowing attackers to gain access to the systems. The temporary mitigations to protect against Log4Shell in versions 2.7.0 to 2.14.1 of log4j also do not protect against this vulnerability, they say.

In tests conducted by the researchers, it appears that the %m{nolookups} setting does not protect against Log4Shell and that remote code execution is still possible if the noMsgFormatLookups flag is set. According to the researchers, logic to disable JNDI lookups can be bypassed through these settings, making the system vulnerable. The researchers recommend updating to version 2.16.0 as soon as possible, as this disables message lookup patterns and disables standard JNDI functionality.