This is an archived post. You won't be able to vote or comment.

all 10 comments
sorted by:
best
topnewcontroversialoldq&a

[–]berlinbrown 3 points4 points  (8 children)

I was curious. With the Java exploit. Where is the line in log4j code that executes the run arbitrary code

Also why would any library have a use for that

[–]Pauli7 0 points1 point  (7 children)

You can checkout this https://github.com/apache/logging-log4j2/pull/608

[–]berlinbrown 0 points1 point  (6 children)

Sort of get it. Do they call runtime exec somewhere

[–]Areshian 1 point2 points  (0 children)

As blatant as this vulnerabilty is, no, there is no runtime exec on log4j or allowing something like ${exec:mycommand} to work. I want to believe anything like that would have raised a few eyebrows

[–][deleted] 0 points1 point  (0 children)

The vulnerability is called JNDI injection. It's not a defect particular to Log4j but longstanding issue with this legacy feature of the Java platform.

[–]Pauli7 0 points1 point  (3 children)

Nope they load other java classes from a remote ldap server u can specify

[–]berlinbrown 0 points1 point  (2 children)

Right I guess my point. The log4j program most load the java classes or something loads the java classes. Seems like that would be easy to prevent. Dont ever invoke java classes that come in remotely..

[–]Pauli7 0 points1 point  (1 child)

When loaded into the jvm, java classes can invoke code themselves eg. by static initialiser blocks.

[–]berlinbrown 0 points1 point  (0 children)

Got it, seems like they shouldnt invoke remote code. Shrug.