{"id":34460,"date":"2021-12-16T16:43:27","date_gmt":"2021-12-16T21:43:27","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=34460"},"modified":"2021-12-17T14:15:29","modified_gmt":"2021-12-17T19:15:29","slug":"log4j-fix-also-has-rce","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/12\/16\/log4j-fix-also-has-rce\/","title":{"rendered":"Log4j Fix Also Has RCE"},"content":{"rendered":"

Dan Goodin<\/a>:<\/p>\n

\n

Now, researchers are reporting that there are at least two vulnerabilities in the patch, released as Log4J 2.15.0, and that attackers are actively exploiting one or both of them against real-world targets who have already applied the update.<\/p>\n<\/blockquote>\n\n

LunaSec<\/a> (via Hacker News<\/a>):<\/p>\n

After the log4j maintainers released version 2.15.0<\/code> to address the\nLog4Shell vulnerability<\/a>, an additional attack vector\nwas identified and reported in CVE-2021-45046<\/a>.<\/p>

Our research into this shows that this new CVE invalidates previous mitigations used to protect versions\n2.7.0 <= Apache log4j <= 2.14.1<\/code> from Log4Shell in some cases.<\/p><\/blockquote>\n\n

freeqaz<\/a>:<\/p>\n

\n

We also wrote a Log4Shell payload that will in-memory “hot patch” your server against Log4Shell.<\/p>\n

${jndi:ldap:\/\/hotpatch.log4shell.com:1389\/a}<\/pre>\n
If you paste that into a vulnerable server (or even throw it into a log statement in your main<\/code> function), that’ll patch you against this until you can manage to update properly.<\/p>\n<\/blockquote>\n\n
See also: Bruce Schneier<\/a>.<\/p>\n\n
Previously:<\/p>\n