RE: Log4J RCE vulnerability

Uwe Schindler Fri, 10 Dec 2021 02:04:03 -0800

Hi,

I did some checks:
- The problem also exists with logging parameters, so it is also executed if 
you call (which is IMHO a design failure in log4j, the reason for this is that 
the expansion is happending on printing the complete formatted log string to 
the output file): logger.info("Foobar: {}", "${badPayload}")
- It also triggers if the message of an exception has a malicous payload! So 
happens easily if some input is validated and there's an 
IllegalArgumentException logged on validation errors


To try out, and see it live do the following (can be done on any server, I 
tested it on my own servers, worked always):

Start a local netcat:
root@pangaea-mw1:~# nc -lp 1234

Go to any user interface of you application, e.g. solr or send a query 
containing this payload, e.g. as part of a query string that is logged:
${jndi:ldap://127.0.0.1:1234/abc}

You will see cryptic text with emojis in the above netcat output. This shows 
that it definitely made an external request.

We should fix this in 8.11 by doing the following:
a) add "-Dlog4j2.formatMsgNoLookups=true" to Solr's start scripts (easy fix, I 
did the same on all my servers). Add this to the *main shell script*, not to 
the solr.sh.in files, as those are modified by users.
b) possibly update log4j, but with above fix it's not urgent and should not be 
done in 10.0.

Uwe

-----
Uwe Schindler
Achterdiek 19, D-28357 Bremen
https://www.thetaphi.de
eMail: u...@thetaphi.de

> -----Original Message-----
> From: Bram Van Dam <bram.van...@intix.eu>
> Sent: Friday, December 10, 2021 8:31 AM
> To: dev@solr.apache.org
> Subject: Log4J RCE vulnerability
> 
> Heads up:
> 
> Seems like there's a pretty severe remote code execution vulnerability
> [1] in Log4J. Basically any application that uses log4j and that allows
> user input to be injected into a logging string is susceptible. This
> probably includes Solr.
> 
> Further interesting discussion on Hacker News [2]
> 
> [1] https://www.lunasec.io/docs/blog/log4j-zero-day/
> [2] https://news.ycombinator.com/item?id=29504755
> 
> 
>   - Bram
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org
> For additional commands, e-mail: dev-h...@solr.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org
For additional commands, e-mail: dev-h...@solr.apache.org

RE: Log4J RCE vulnerability

Reply via email to