[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228

Arne Vajhøj arne at vajhoej.dk
Wed Dec 15 10:22:48 EST 2021 

On 12/14/2021 10:06 PM, David Turner wrote:
> So the vulnerability is there. How would one take advantage of it anyway?
> Wouldn't you need a privileged account to even get into the server to 
> start taking advantage of the flaws?
> Assuming one is pretty careful about access to the network, and the 
> directory permissions are controlled, wouldn't it be hard to get to do 
> any damage?
> 
> Curious as I cannot find much information outside of the warning. I 
> guess no one wants to give hackers the keys to the rolls....

The vulnerability is in the processing of log messages in
a logging framework.

To exploit the attackers need to get a specific message
logged.

And that is usually pretty easy. The primary purpose of logging
is to help troubleshooting problems and to do that it makes sense
to log user input.

It does not matter how the user input comes into the system.

The two most common ways are probably:
* web service calls coming in from the internet
* web form post coming in from internet

But it could also be an insider instead of internet.

And it could be plain socket or a message queue or a file
instead of HTTP(S).

Because the problem is in the data content, then traditional
isolation often doesn't help.

--firewall--Java web service with log4j

--firewall--Apache httpd proxy--firewall--Java web service with log4j

--firewall--Apache httdd proxy--firewall--PHP web service--message 
queue--Java backend with log4j

--firewall--Apache httdd proxy--firewall--PHP web 
service--database--Python job--message queue--Java backend with log4j

does not make a difference if that Java code calls log4j with
user input with malicious content then bad things can happen.

To move on with the exploit the Java code need to be able to
reach a server controlled by the attacker, but many places
only have strict control of inbound traffic not outbound traffic.

And the Java code need to have access to something. But if the
code is intended to do something on behalf of the user then it
obviously need to have access to user data. That it may not have
access to modify OS does not stop bad things from happening.

Arne

More information about the Info-vax mailing list