When a vulnerability of this magnitude is identified, all eyes are drawn to the software looking for other exposures or variations of exploitation. The same is true as new patches are released.
Good actors (researchers) rapidly look for missed or new flaws, such that the community can path them before they are exploited in the wild. The bad actors (cybercriminals, nation-states, etc.) have the opposite agenda. They are interested in exploiting such findings before the world can patch or protect themselves accordingly.
This is exactly what has played out since the discovery of the Log4j exposure and will continue back and forth until the researchers and bad actors alike stop finding new ways to exploit the code; whether sitting in the code for decades waiting to be exploited, as with Log4Shell, or newly introduced by critical patches.
In the case of the newest CVE, it allows for an attacker to trigger a denial of service attack. What makes this particularly novel is that it can be exploited through the Javascript web sockets on a vulnerable machine, meaning that vulnerable systems browsing to a malicious web destination could be compromised.
This is exactly why continuous discovery and identification are key. These findings have a life of their own. New findings result in a completely new scope of devices and vendor services/solutions being impacted. In cases where the first patches don’t quite fix the issue, it’s also critical that you’re able to continuously monitor your environment for potential exploitation; through potentially any connected device.
It’s also simply not yet clear how many devices and pieces of software have been impacted, particularly software or devices thought of primarily as “consumer” versus enterprise devices. As these consumer devices come back to enterprise environments after the break, the risk of exploitation potentially increases once again.
One of the painful things about this situation is that many of the folks working 24/7 to patch vulnerable environments keep waking up to the need to apply yet another patch to a large percentage of their ecosystem. The hope would be that the lessons learned from updating the environment a couple of times before over the past week streamline this process for all impacted.
That aside, the fix to avoid potential denial of service attacks from being experienced is to once again to patch all vulnerable assets.
For more information and to take a free Log4j Risk Assessment, visit our Log4j Resource Center.