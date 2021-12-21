Apache has released a new patch, 2.17.0, for Log4j after discovering some problems with the previous version. The release notes state that version 2.16 “does not always protect against uncontrolled recursion in searches”, explaining that it is still vulnerable to CVE-2021-45105, which can lead to denial of service attacks. This is a high severity vulnerability with a CVSS score of 7.5. The problem was discovered by Akamai Technologies researcher Hideki Okamoto.

Meanwhile Google has conducted an analysis on Maven Central, the largest Java package repository and has found that beyond 35 thousand Maven artifacts make use of Log4j to some extent and are therefore affected by the problem: “Direct dependencies represent approximately 7000 of the affected artifacts, meaning that any of the versions of each depend on an affected version of log4j-core or log4j-api, as described in CVEs. Most of the artifacts come from indirect dependencies, which means that log4j is not explicitly defined as an artifact dependency, but is entered as a transitive dependency, “explain James Wetter and Nicky Ringland of Google.

Another alarm bell then comes from the Blumira researchers, who have identified the possibility of using alternative attack vectors that can trigger remote code execution even on unpatched machines on internal networks, therefore not necessarily exposed to the outside. In this way the vulnerable surface increases significantly, since it can impact on services that operate in localhost.

It is also reported that the security company Advanced Intelligence found that the Conti ransomware group started exploiting the Log4Shell vulnerability. AdvIntel researchers in particular confirmed that hackers targeted VMware vCenter in a context of so-called “lateral movement” after gaining access to systems and networks by exploiting the problem faced by Log4J.