oss-sec mailing list archives

Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

From: Moritz Bechler <mbechler () eenterphace org>
Date: Fri, 10 Dec 2021 11:29:48 +0100

Hello,

In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the 
JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see 
https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting 
"com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

Please note, that Java 8u121+ does not necessarily protect againstremote code execution. There are known exploitation vectors using localnaming factories, e.g. a XBean BeanFactory (bundled with Tomcat). Also,both RMI and LDAP lookups can be made to perform Java deserialization onremote input and therefore there is a good chance for secondary RCEexploits.



Moritz

Current thread:

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints Ralph Goers (Dec 10)
- Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints Moritz Bechler (Dec 10)
- Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints Moritz Bechler (Dec 10)