
The logo gets worse as the situation gets worse...
Originally Posted @ December 17th & Last Updated @ December 19th, 3:37pm PST
Earlier today, the second Log4j vulnerability (CVE-2021-45046), was upgraded from a CVSS score of 3.7
(limited DOS) to a CVSS score of 9.0 (limited RCE). Note: the reported
limited RCE has only been proven to be exploitable on macOS at the moment. We expect, in time, that other operating systems
will also be shown to be exploitable. Update: More operating systems have been showing to be vulnerable: MacOS, Fedora, Arch Linux, and Alpine Linux.
See the bottom of this post for an example exploit payload that bypasses the checks in log4j 2.15.0
.
Just trying to patch Log4Shell? Please read our dedicated
Mitigation Guide.
Context on CVE Timeline
The Log4j team had previously released version 2.15.0
on December 6th to address, which at the time had only been
privately disclosed, the Log4Shell vulnerability that abused JNDI and LDAP to allow for an easily exploitable RCE
vulnerability. We posted a
blog post about this new RCE that, at the time, was only being posted
about by the Chinese InfoSec community on December 9th, 2021. This post made the broader InfoSec community aware of the
ongoing exploitation and resulted in a frenzy as Java developers worked to patch themselves.
The following day, on December 10th, an official CVE was associated with this RCE vulnerability as
CVE-2021-44228 with the maximum possible CVSS score of
10.0.
In the days afterwards, it was realized that this fix was incomplete as bypasses were found that could result in a
limited DOS for 2.15.0
users, and, for users that had patched older Log4j releases using formatMsgNoLookups
, these
bypasses could be used to allow for limited RCE.
Version 2.16.0
was released on December 13th to address the vulnerabilities by completely disabling JNDI by default.
The next day, on December 14th, the second vulnerability was officially given a dedicated CVE numbered CVE-2021-45046
with a limited 3.7 (now 9.0).
In this post, we're going to talk about the impact of these changes, and about why the CVSS score has changed so drastically.