Security researchers have discovered a new attack vector that exploits the Log4j vulnerability as the Apache Foundation has released a new patch to address the overall issue.

Discovered late last week by researchers at Blumira Inc., the new attack vector relies on a Javascript WebSocket connection to trigger a remote code execution on internal and locally exposed unpatched Log4j applications.

Previously discovered ways to exploit Log4j were through vulnerable servers. This attack vector differs in that anyone with a vulnerable Log4j version on a machine or local private network can browse a website and potentially trigger the vulnerability.

This attack vector significantly expands the attack surface with the ability to trigger the vulnerability through a malicious website. The attack vector can impact services even running as localhost, which were not exposed to any network.

The researchers noted that there’s no proof of active exploitation, but the client generally has no direct control over the WebSocket connections, which can silently initiate when a webpage loads. WebSockets connection can be difficult to gain deep visibility into, increasing the complexity of detecting this attack.

“WebSockets have previously been used for port scanning internal systems, but this represents one of the first remote code execution exploits being relayed by WebSockets,” Jake Williams, co-founder and chief technology officer at incident response firm BreachQuest Inc., told SiliconANGLE. “This shouldn’t change anyone’s position on vulnerability management, though. Organizations should be pushing to patch quickly and mitigate by preventing outbound connections from potentially vulnerable services where patching is not an option.”

John Bambenek, principal threat hunter at information technology service management company Netenrich Inc., noted that though the newly discovered attack vector is significant, attackers will likely favor the remote exploit versus the local one.

“That being said, this news does mean that relying on WAF, or other network defenses, is no longer an effective mitigation,” Bambenek added. “Patching remains the single most important step an organization can take.”

The emergence of a new attack vector comes as Apache has been forced to issue a third patch to address the Log4j vulnerability, called 2.17.0.

Apache says the patch addresses issues in 2.16.0 that did not protect from uncontrolled recursion from self-referential lookups. As a result, the patch did not protect from CVE-2021-45105, a Log4j denial-of-service vulnerability.

The ongoing serious nature of the Log4j vulnerability continues to gain widespread attention, including from government bodies. After initially warning of the vulnerability Dec. 14 and ordering all federal agencies to patch it by Dec. 24, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency issued an emergency directive on Dec. 17.

The CISA emergency directive directs all federal, civilian and executive branch agencies to address the Log4j vulnerability. It applies only to government agencies, but CISA strongly recommended that all organizations review the emergency directive for mitigation guidance.

Image: Apache