A patch that fixed a critical vulnerability in a popular piece of software described as the worst in a decade by some has introduced at least two new ways for malicious actors to attack servers.
The discovery of the previously unknown exploit in Log4J, an open-source tool developed by the Apache Software Foundation, made global headlines last week. The vulnerability allowed servers using the logging utility to be made to execute any code.
The loophole was closed by a patch last week, but it introduced new vulnerabilities, as detailed by Ars Technica and ZDNet.
The developers confirmed that the fix was “incomplete in certain non-default configurations” and gave attackers the opportunity to launch denial-of-service attacks, which render a service inaccessible. Disabling certain functionality would mitigate the risk.
Another problem was reported by cybersecurity firm Praetorian, which said on Wednesday that the patch “can still allow for exfiltration of sensitive data in certain circumstances.”
Fortunately, a newer patch for the tool was released earlier this week. However, it takes time for the upgrade to be integrated by companies into their products.
The original 0-day vulnerability has been actively exploited by malicious actors. According to an estimate cited by the Financial Times, more than 1.2 million attacks using the Log4J flaw have been launched since Friday.
The utility is written in Java, a popular programming language used in many modern products, which explains why it was described as the “single biggest, most critical vulnerability of the last decade” by the security company Tenable.