Researchers discovered a new attack vector for the Log4Shell bug, prompting Apache to release a new patch for Log4j to mitigate a high severity vulnerability. The open-source web server community had earlier released a patch to address the now-famous CVE-2021-44228 vulnerability in the popular logging functionality.
However, a subsequent update admitted that this fix did not address a newly discovered issue in Log4j, which has a CVSS score of 7.5. It explained that “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect against uncontrolled recursion from self-referential lookups.”
When the logging configuration uses a non-default Pattern Layout with a Context Lookup, the attacker’s access to Thread Context Map (MDC) input data create malicious input data with a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also referred to as a Denial of Service (DoS) attack.
The news comes as Blumira researchers discovered a way to effectively expand Log4Shell’s attack surface by allowing JavaScript WebSocket connections to stimulate the remote code execution bug on unpatched Log4j instances. It means that even systems running as localhost that isn’t connected to the internet could be affected.
Previously, we thought Log4j’s impact was limited to vulnerable servers. Anyone with a vulnerable Log4j version on their machine or local private network can potentially trigger the vulnerability by browsing a website, Blumira explained. In most cases, the client has no direct control over these WebSocket connections, which can start silently when a webpage loads. WebSocket connections within the host can be difficult to gain deep visibility into, making this attack more difficult.