oss-sec mailing list archives
Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
From: Moritz Bechler <mbechler () eenterphace org>
Date: Fri, 10 Dec 2021 11:29:48 +0100
Hello,
In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
Please note, that Java 8u121+ does not necessarily protect against remote code execution. There are known exploitation vectors using local naming factories, e.g. a XBean BeanFactory (bundled with Tomcat). Also, both RMI and LDAP lookups can be made to perform Java deserialization on remote input and therefore there is a good chance for secondary RCE exploits.
Moritz
Current thread:
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints Ralph Goers (Dec 10)
- Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints Moritz Bechler (Dec 10)
- Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints Moritz Bechler (Dec 10)