The Log4Shell flaw that has website administrators rushing to patch servers even as criminals ramp up attacks now has a sibling.
A second flaw has been found in the same logging utility, one that could crash websites, and the utility's developers have rushed out a patch that fixes both flaws.
The new flaw, catalogued as CVE-2021-45046 but which doesn't have a catchy name, abuses the same functions as Log4Shell, otherwise known as CVE-2021-44228.
It lets attackers cause a denial of service — i.e., a crash — in Log4j, the same utility being exploited by Log4Shell. That in turn might cause websites using Log4j to malfunction or crash.
The initial patch to stop Log4Shell, version 2.15.0 of Log4j, doesn't stop this new attack. So the Apache Software Foundation, which maintains Log4j, yesterday (Dec. 13) released Log4j version 2.16.0, which disables one of the functions that make the two flaws possible and removes the other function.
Crashing Log4j likely won't lead to the same devastating effects as Log4Shell does. The earlier flaw lets attackers slip malicious code into or steal sensitive information from any web server that contains Log4j somewhere in its software.
This new flaw might knock a web server offline, which is annoying and can be expensive if business transactions are halted, but most likely won't result in permanent damage.
What to do about Log4Shell
Hundreds of thousands, if not millions, of web servers are believed to be impacted by Log4Shell, and all versions of the Java runtime environment are affected. The only permanent solution is to update Log4j.
The Netherlands' National Cyber Security Center has posted a list of enterprise software thought to be vulnerable to Log4Shell, which also includes software that has been found to be not vulnerable.
Among the well-known names on the list are Amazon, Broadcom, Cisco, Citrix, Dell, HPE, Huawei, IBM, McAfee, Microsoft, Netflix, Oracle, Red Hat, Siemens and Trend Micro.
As detailed in our earlier story, most Windows PCs, Macs and mobile devices are not vulnerable to attacks using Log4Shell unless the devices are running the Java runtime environment. (Microsoft's December Patch Tuesday updates don't address it.)
Gamers running Minecraft Java Edition do of course run Java, and they got a patch for Minecraft last week. Yesterday, Bitdefender reported seeing two campaigns that were putting ransomware and remote-access-Trojans on Windows machines that do have Java installed.
But again, neither Windows nor macOS ship with Java installed. Linux desktops are more vulnerable, as many of them do have it. Ubuntu has already released patches fixing Log4Shell, and other Linux distributions have probably also done so.
However, because of the sheer volume of financial and personal data held in web-facing servers, such as credit-card and banking information, email messages, login credentials, photos and other personal details, the risk of data breaches, identity thefts, credit card thefts and account hijackings has probably never been higher.
Likewise, criminals may use Log4Shell to corrupt websites to distribute malware or use them in phishing attacks to steal your personal information.