[jira] [Commented] (LOG4J2-3297) Disable remote loading of log4j configuration to prevent MiTM Attacks

Wed, 16 Feb 2022 21:13:06 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-3297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17493650#comment-17493650
 ] 

ASF subversion and git services commented on LOG4J2-3297:
---------------------------------------------------------

Commit 3bd53c14f53c8178320a95fd27be8eac05081257 in logging-log4j2's branch 
refs/heads/release-2.x from Ralph Goers
[ https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=3bd53c1 ]

LOG4J2-3297 - Limit loading of configuration via a url to https by default


> Disable remote loading of log4j configuration to prevent MiTM Attacks
> ---------------------------------------------------------------------
>
>                 Key: LOG4J2-3297
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3297
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.17.1, 2.17.0
>            Reporter: Peter Malone
>            Assignee: Ralph Goers
>            Priority: Major
>
> The fix for *CVE-2021-44832* in release *2.17.1* of log4j-core prevents 
> remote JNDI injection via the JDBC Appender.
> Given the nature of that CVE, an attacker requires local access to the 
> configuration to be able to exploit it, OR in the rare chance the 
> *log4j2.configurationFile* property is set to a remote HTTP location, an 
> attacker can use a Man in the Middle Attack (MiTM) and inject their own 
> malicious configuration which could disable logging for an application 
> entirely.
> Is it possible to disable remote loading of log4j configurations entirely?
> If that feature is required, it may be necessary to create a log4j 
> configuration server that provides signed configs to the application, but 
> that seems like overkill to me. 
> I would opt for limiting the scope of the *log4j2.configurationFile* to local 
> configurations, and if remote configuration is a feature you cannot remove, 
> limiting it with a flag/variable and also limiting it to HTTPS for remote 
> configs.
> I don't think the priority on this is extremely urgent, but someone may try 
> to get a CVE under their belt by demonstrating this vector, and given the 
> pressure you've been under I did not feel the need to get a CVE for this.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to