Just as we learned that nation-state hackers have started studying the Log4j vulnerability issue that shocked the cybersecurity world last week, other researchers signaled a disturbing development. The Log4j hack, also known as Log4Shell, already has a patch that companies can deploy. But it turns out that the fix has its own security issues that hackers can exploit. As a result, companies looking to safeguard their systems against Log4j attacks must deploy a new patch that fixes the previous fix.
As we explained in our previous coverage, the Log4j hack is incredibly dangerous. That’s because it impacts virtually every company offering internet services. The security vulnerability sits in a Java logging utility that’s widely used. Since its disclosure last Thursday, cybersecurity researchers have witnessed hundreds of thousands of attempts to exploit it. That includes attacks from nation-backed hackers who have significant resources at their disposal compared to most hackers.
As long as internet companies do not apply the existing Log4j patch to their systems, they’re at risk.
Hackers can use the Log4j hack to get into computer servers without a password. From there, they can install other malicious programs. These tools would let them steal information, conduct ransomware attacks, or mine for cryptocurrencies. According to the initial reports describing the security issues, someone used the vulnerability inside Minecraft. Microsoft quickly patched Minecraft and kept issuing updates about Log4j exploits in the wild.
The new Log4j patch vulnerability
Regular end-users can’t do anything to fix the Log4j hack themselves. It’s not as easy as updating the operating system or an app to the latest, most secure version. It’s internet companies that have to deploy the latest Log4j patch to secure servers.
But security researchers have already discovered that the Log4j 2.15.0 patch that the Apache Foundation released last week has at least two vulnerabilities that require fixing. Organizations that have installed Log4j 2.15.0 already should install version 2.16.0 as quickly as possible, the report says.
According to some researchers, the Log4j 2.15.0 patch was incomplete “in certain non-default configurations.” In turn, this allows attackers to mount campaigns against patched systems.
Security researchers from Praetorian also detailed the new security problem. They explained that hackers could still steal data from servers where the Log4j 2.15.0 patch had been deployed.
“In our research, we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances,” the researchers said. “We have passed technical details of the issue to the Apache Foundation, but in the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible.”
Praetorian posted a proof-of-concept attack on the Log4j 2.15.0 patch without disclosing technical details that make it possible.