TopStreamsNet commented on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991739074
> If the attacker can modify log4j.properties (log4j 1.x), she she does not need to download malicious code, she can just as easily place malicious class files in the classpath and have them executed. > > So, in a very strict sense there is a vulnerability in log4j 1.x but nothing close to log parameter induced RCE. I agree with your sentiment, though I do see a difference between being able to modify properties in configuration file (to set target topic) versus being able to add class files - that would be a bit of a stretch > **If the attacker can modify the config file on some system S, then S can be assumed to be already penetrated to a large extent.** I can't completely agree with this statement as I can see a whole number of use-cases where users can legitimately amend configuration or it's part for customization reasons.. Anyway just wanted to clarify the state of exploitation in 1.x to show how it is possible -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
