Serious Techy Business Thread

According to a new Apache Log4j security bulletin, version 2.15.0 and the initially suggested mitigation measures do not completely address the Log4Shell in certain custom configurations.

It was discovered that version 2.15.0 would still be vulnerable when the configuration has a pattern layout containing a Context Lookup (for example, $${ctx:loginId}), or a Thread Context Map pattern %X, %mdc, or %MDC. In these cases, when the attacker manages to control the Thread Context values, JNDI lookup injections may be possible, resulting in JNDI connections. Version 2.15.0 limited JNDI connections to 'localhost’' but this possibility could result in a denial of service (DoS) or worse.

“Blumira’s security team discovered the potential for an alternative attack vector in the Log4j vulnerability, which relies on a Javascript WebSocket connection to trigger the RCE on internal and locally exposed unpatched Log4j applications.

Previously, we understood that the impact of Log4j was limited to vulnerable servers. This newly-discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability. At this point, there is no proof of active exploitation.

This vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network.

The client itself generally has no direct control over these WebSocket connections, which can silently initiate when a webpage loads. WebSocket connections within the host can be difficult to gain deep visibility into, which increases the complexity of detection for this attack.”