Note that this “requires access to the logging configuration” is simply wrong. I wish I had known 10 years ago what I now know about JNDI, and Java’s LDAP support via JNDI. Unfortunately, I only learned about it in the last 3 weeks.
The LDAP schema for Java is where the real problem lies. It defines data to instantiate classes that implement the Referenceable interface. These classes are created via an ObjectFactory. The wonderful thing about the Java schema. Is that it defines referenece address attributes, which is the location of where you can find the object factory class object. So if have access to LDAP you can manipulate the data to point to your own ObjectFactory. So long as that returns whatever the caller was expecting you can do whatever else you want completely undetected. Or if you have access to wherever the objects reside you can replace them there with a custom class. Of course, Java also supports Serializable objects via LDAP and everyone knows that has holes like Swiss cheese. So if you have an existing configuration that already accesses LDAP via JNDI to get a password no one needs to touch the config file to perform an RCE. This is the perfect way for an unhappy employee to create a backdoor. Ralph > On Dec 21, 2021, at 11:12 AM, Leo Simons <m...@leosimons.com> wrote: > > On Tue, 21 Dec 2021 at 18:48, Gary Gregory <garydgreg...@gmail.com> wrote: > >> … >> I wonder what logback actually means by "Temporarily removed DB support for >> security reasons.", did they remove public or protected code? Well we have >> enough to deal with here without worrying about that. > > > Yeah they deleted DBAppender. Public code that you can/should reference in > a config file. So source/binary/config incompatible. > > https://github.com/qos-ch/logback/commit/87291079a1de9369ac67e20dc70a8fdc7cc4359c > > So logback 1.2.8 has it, 1.2.9 doesn’t, 1.3 (JDK8+) will probably get a > security hardened version, probably then backported to make a 1.2.10 for > JDK7. > > (Of course a very different project, different vulnerability, etc, so > different considerations & choices) > > Spring is picking it up in their release: > > https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot > > So Twitter after Christmas will start to teach us about user response :-) > > > Cheers, > > > Leo
