Apache Log4j2 Exploitation 2.0

The exploitation continues, as a second vulnerability has been discovered. Apparently the remediation for Log4j was incomplete according to Apache, in some configurations. The Apache Log4j2 is an upgrade to Log4j that is supposed to provide significant improvement.

This new vulnerability has been brought to the attention of the Log4j team and this is been address as Log4j2.

Details from Apache shows that “It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments.

Note that previous mitigations involving configuration such as setting the system property log4j2.formatMsgNoLookups to true do NOT mitigate this specific vulnerability.”

Further reading on this can be found on Apache website Apache Log4j Security Vulnerabilities.