Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <9fb9155e-c91e-7414-6343-523864d69536@eenterphace.org>
Date: Mon, 13 Dec 2021 20:22:29 +0100
From: Moritz Bechler <mbechler@...terphace.org>
To: oss-security@...ts.openwall.com, Ralph Goers <rgoers@...che.org>
Subject: Re: CVE-2021-4104: Deserialization of untrusted data
 in JMSAppender in Apache Log4j 1.2

Hello,

> 
> JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228.
> 
> Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.

Pretty sure someone was pushing for this, sorry to be nagging again, but 
I don't think adding that to the overall panic and confusion is really 
helping.

To emphasize again: this needs write access to the Log4j configuration.

This is in no way even coming close to CVE-2021-44228 - log4j 1.2 is 
absolutely unaffected by that bug.

Only for people allowing untrusted parties to modify logger 
configuration this could be considered to cross a trust boundary. 
Allowing that, in my opinion, already would require very careful 
consideration on the caller/user side and cannot be assumed to be safe.

If one can modify the logger configuration, one might as well 
(re)configure a FileAppender and write to files with the process 
privileges - most likely also resulting in code execution.

Everybody else should probably forget about this - expect for the fact 
that they still might be using software that has been unsupported for 
many years.

Configuring e.g. DataSources via JNDI name lookups is not that uncommon 
in Java applications and application servers, these all suffer from the 
same "vulnerability". JNDI is a overly complex mess of bad surprises 
(and in my opinion absolutely should go away), but that is really not 
log4j's fault.



Moritz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.