Win a copy of Beginning Java 17 Fundamentals: Object-Oriented Programming in Java 17 this week in the Java in General forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

Vulnerability in Apache Log4j library

 
Ranch Hand
Posts: 106
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi.
We have a medium complex J2EE aplication (Spring, Hibernate, Ember) deployed in Tomcat.
Our customer warned us about vulnerability in Apache Log4j library (CVE-2021-44228). Vulnerabele are these versions Apache log4j from 2.0 to 2.14.1.
We use older version 1.2.17. but it has security issues too (CVE-2019-17571) .
I don't understand how serious is this threat:
"Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted
network traffic for log data."
Please can somebody explain and simplify the meaning of the quoted sentence to me?
I cannnot imagine how anybody could intercept the direct write operation between our app and log file (catalina.out) in Tomcat. The is no "network traffic for log data", there is direct write.

Thanks for any comments.
 
Saloon Keeper
Posts: 7236
169
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, there can be network traffic when writing to the log. Writing a log entry can cause a JNDI lookup, which may lead to external code being loaded and executed. It's not what you expect when writing to the log, but here we are.

Maybe this will make things clearer: https://www.veracode.com/blog/research/exploiting-jndi-injections-java. A lookup of this kind can be triggered by writing the right kind of log message using log4j. So if an app writes user-supplied data to the log without sanitizing it, the exploit can happen.
 
Saloon Keeper
Posts: 24889
174
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's not uncommon in large shops for different systems or even entire servers to write logs to central logservers. But that's not what the CVE is about.

Think of it more like a SQL Injection attack. Except that the poison can be injected via a URL from a malicious external JNDI server or the like.
 
WHAT is your favorite color? Blue, no yellow, ahhhhhhh! Tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic