To be more precise. It depends on how you configure log4j. By default Spring boot installs
<groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-to-slf4j</artifactId> In that case the default NullConfiguration of Log4j is not executed and the JNDI lookup is not configured. The chance to be impacted is smaller. > Am 11.12.2021 um 23:35 schrieb Sebastian Hennebrüder <use...@laliluna.de>: > > Correction for Spring Boot with embedded Tomcat > > The attack does not work by default. > >> Am 11.12.2021 um 23:04 schrieb Sebastian Hennebrüder <use...@laliluna.de>: >> >> Hi all, >> >> I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java >> 11. Actually the Java path version is not relevant. >> >> It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat embedded. >> >> If your server can reach arbitrary servers on the Internet, you can execute >> random code in the shell. >> >> The attack is not using RMI remote class loading but uses Tomcats >> BeanFactory to create an ELExpression library. As the BeanFactory has >> features to manipulate instantiated classes, it can inject a Script. In >> plain Java application this would still be blocked by RMI class loading but >> Tomcat circumvents this. >> >> The attack is explained in 2019 by >> https://www.veracode.com/blog/research/exploiting-jndi-injections-java >> >> >> Cheers >> >> Sebastian > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
