Jan Tepke created LOG4J2-588:
--------------------------------
Summary: Log4j 2 rc1 executes unsigned content by checking for
plugins
Key: LOG4J2-588
URL: https://issues.apache.org/jira/browse/LOG4J2-588
Project: Log4j 2
Issue Type: Bug
Components: Core
Affects Versions: 2.0-rc1
Environment: Mac Pro, Mac OS X, Java6
Reporter: Jan Tepke
Hey guys,
In our laboratory infrastructure we launch java applications as java webstarts.
These applications have to be signed.
This now leads us to the following problem:
Log4j2 rc1 seems to check for plugins in the java home directory of the
operating system and tries to access/execute some code of the contained jar
files. These files are not signed.
These cicumstances lead to a Security Exception which did not occur in all
minor Log4j2 versions (including beta 9).
Let me give you some more details.
Here is the stacktrace showing the situation before the program crashes:
"javawsApplicationMain" prio=5 tid=1131a1800 nid=0x13fab6000 in Object.wait()
[13fab2000]
java.lang.Thread.State: WAITING (on object monitor)
at java.lang.Object.wait(Native Method)
- waiting on <7f47700a0> (a java.lang.Object)
at java.lang.Object.wait(Object.java:485)
at
com.sun.javaws.ui.JavawsSysRun.delegate(JavawsSysRun.java:214)
- locked <7f47700a0> (a java.lang.Object)
at
com.sun.deploy.util.DeploySysRun.execute(DeploySysRun.java:24)
at
com.sun.deploy.util.DeploySysRun$1.run(DeploySysRun.java:46)
at
java.security.AccessController.doPrivileged(Native
Method)
at
com.sun.deploy.util.DeploySysRun.executePrivileged(DeploySysRun.java:42)
at
com.sun.deploy.ui.UIFactory.showMixedCodeDialog(UIFactory.java:673)
at
com.sun.deploy.security.CPCallbackHandler.showMixedTrustDialog(CPCallbackHandler.java:887)
at
com.sun.deploy.security.CPCallbackHandler.access$1200(CPCallbackHandler.java:74)
at
com.sun.deploy.security.CPCallbackHandler$ParentCallback.checkAllowed(CPCallbackHandler.java:352)
at
com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(CPCallbackHandler.java:327)
- locked
<7f4734908>
(a
com.sun.deploy.security.CPCallbackHandler$ParentCallback)
at
com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1800(CPCallbackHandler.java:128)
at
com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(CPCallbackHandler.java:506)
at
com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(DeployURLClassPath.java:816)
at
com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(DeployURLClassPath.java:889)
at
com.sun.deploy.security.DeployURLClassPath$JarLoader.findResource(DeployURLClassPath.java:860)
at
com.sun.deploy.security.DeployURLClassPath$1.next(DeployURLClassPath.java:265)
at
com.sun.deploy.security.DeployURLClassPath$1.hasMoreElements(DeployURLClassPath.java:276)
at
java.net.URLClassLoader$3$1.run(URLClassLoader.java:416)
at
java.security.AccessController.doPrivileged(Native
Method)
at
java.net.URLClassLoader$3.next(URLClassLoader.java:413)
at
java.net.URLClassLoader$3.hasMoreElements(URLClassLoader.java:438)
at
sun.misc.CompoundEnumeration.next(CompoundEnumeration.java:27)
at
sun.misc.CompoundEnumeration.hasMoreElements(CompoundEnumeration.java:36)
at
org.apache.logging.log4j.core.config.plugins.ResolverUtil.findInPackage(ResolverUtil.java:240)
at
org.apache.logging.log4j.core.config.plugins.PluginManager.collectPlugins(PluginManager.java:174)
at
org.apache.logging.log4j.core.config.plugins.PluginManager.collectPlugins(PluginManager.java:130)
at
org.apache.logging.log4j.core.config.BaseConfiguration.start(BaseConfiguration.java:152)
at
org.apache.logging.log4j.core.LoggerContext.setConfiguration(LoggerContext.java:341)
- locked
<7f42b0750>
(a
org.apache.logging.log4j.core.LoggerContext)
at
org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:386)
- locked
<7f42b0750>
(a
org.apache.logging.log4j.core.LoggerContext)
at
org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:149)
at
org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:84)
at
org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:35)
at
org.apache.logging.log4j.LogManager.getLogger(LogManager.java:444)
at
org.apache.logging.log4j.LogManager.getLogger(LogManager.java:389)
at
de.mmis.utilities.genericPublisher.GenericPublisher.<clinit>(GenericPublisher.java:47)
at
de.mmis.utilities.genericPublisher.GenericPublisherMain.main(GenericPublisherMain.java:44)
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at
java.lang.reflect.Method.invoke(Method.java:597)
at
com.sun.javaws.Launcher.executeApplication(Launcher.java:1953)
at
com.sun.javaws.Launcher.executeMainClass(Launcher.java:1886)
at
com.sun.javaws.Launcher.doLaunchApp(Launcher.java:1648)
at
com.sun.javaws.Launcher.run(Launcher.java:141)
at
java.lang.Thread.run(Thread.java:695)
The problem seems to be line 240 in the findPackage(...) method in
core.config.plugins.ResolverUtil.
We set a breakpoint in line 234 and stepped through the program. We found
out that the Enumeration<URL> urls->enums->[0] ->val$e -> this$0 ->path
(ArrayList) consists of the values:
[file:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Classes/jsfd.jar,
file:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Classes/classes.jar,
file:/System/Library/Frameworks/JavaVM.framework/Versions/A/Frameworks/JavaRuntimeSupport.framework/Versions/A/Resources/Java/JavaRuntimeSupport.jar,
file:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Classes/ui.jar,
file:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Classes/laf.jar,
file:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Classes/sunrsasign.jar,
file:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Classes/jsse.jar,
file:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/jce.jar,
file:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Classes/charsets.jar]
This (probably) leads the method to try to access code inside the jar files.
Because these jars ore not signed this causes a warning if you start the
webstart application that says that you try to run both signed and unsigned
contents.
I tried to fix this by commenting the whole method. This caused a
Null-Pointer-Exception. I think in this context you might need also to think
about the return statement in th catch clause in line 237. If the IOException
will be thrown, no global side effects could have happened, so this event will
also probably cause a
Null-Pointer-Exception.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
