[jira] [Comment Edited] (LOG4J2-3293) JDBC Appender should use JNDI Manager and JNDI access should be limited.

Mon, 03 Jan 2022 10:16:06 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-3293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17468135#comment-17468135
 ] 

Ralph Goers edited comment on LOG4J2-3293 at 1/3/22, 6:15 PM:
--------------------------------------------------------------

There are two cases:
 # Someone can modify your configuration file and configure it to use JNDI to 
go to some arbitrary location. Obviously, this alone would not qualify for a 
CVE.
 # You have a configuration that has something like 
jndiName="ldap://myhost:389/cn=password,o="myserver.com". 

The second case is the one that can have the more serious problem as it looks 
perfectly normal in the configuration. But anyone who has access to the LDAP 
server can manipulate the entry to cause an RCE to occur. Worse, so long as it 
returns the expected data the RCE might never even be noticed.


was (Author: [email protected]):
There are two cases:
 # Someone can modify your configuration file and configure it to use JNDI to 
go to some arbitrary location. Obviously, this alone would not qualify for a 
CVE.
 # You have a configuration that has something like 
jndiName="ldap://myhost:389/cn=password,o="myserver.com". 

The second case is the one that can have the more serious problem as it looks 
perfectly normal in the configuration. But anyone who has access to the LDAP 
server can manipulate the entry to cause an RCE to occur.

> JDBC Appender should use JNDI Manager and JNDI access should be limited.
> ------------------------------------------------------------------------
>
>                 Key: LOG4J2-3293
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3293
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Appenders
>    Affects Versions: 2.17.0, 2.12.3, 2.3.1
>            Reporter: Ralph Goers
>            Assignee: Gary D. Gregory
>            Priority: Major
>             Fix For: 2.17.1, 2.3.2, 2.12.4
>
>
> JDBC Appender should use JndiManager when accessing JNDI. JNDI access should 
> be controlled via a system property.
> Related to 
> [CVE-2021-44832|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832]
>  where an attacker with permission to modify the logging configuration file 
> can construct a malicious configuration using a JDBC Appender with a data 
> source referencing a JNDI URI which can execute remote code.
> Fixed in 
> [https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16]
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to