Hi,
Interesting. I know a bit off topic..
Does it make a difference for the vulnerability if I log with:
a) log.warn("log msg param {}", userControlledParam);
Or
b) log.warn(log msg param " + userControlledParam);
Mfg
Thomas
Am 13. Dezember 2021 19:53:04 MEZ schrieb Mark Thomas <ma...@apache.org>:
>On 13/12/2021 18:31, James H. H. Lampert wrote:
>> The thing I'm still utterly unclear about is how simply logging traffic
>> could, by itself, create a vulnerability.
>>
>> In our case, the log entries are not even viewable unless you are signed
>> on to a command line session on the server (ssh for headless Linux; a
>> physical Twinax terminal, or a 5250 emulator of some sort, for IBM
>> Midrange).
>>
>> How can a log entry be executed as a command, anyway?
>
>Log4j2 supports a log message format syntax that includes JNDI lookups.
>
>Log4j2 processes log messages repeatedly until it doesn't find any more
>format strings. This means the output of one format string can insert a
>new format string.
>
>So, if the application is logging some user provided string verbatim
>then the user can do the following:
>- provide input that includes the log4j2 format string for a JNDI lookup
>- on the first iteration log4j2 builds the log message that includes
> the user provided string
>- on the second iteration log4j processes the user provided format
> string and performs a JNDI lookup
>
>For an example of how a JNDI lookup can be leveraged to trigger code
>execution in Tomcat see this article:
>https://www.veracode.com/blog/research/exploiting-jndi-injections-java
>
>That isn't the only way to use JNDI to trigger code execution and I am
>sure security researchers will find a bunch of new ways as a result of
>this vulnerability.
>
>HTH,
>
>Mark
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
