You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cassandra.apache.org by Brandon Williams <dr...@gmail.com> on 2021/12/12 17:55:38 UTC
Recent log4j vulnerability
I replied to a user- post about this, but thought it was worth
repeating it here.
In https://issues.apache.org/jira/browse/CASSANDRA-5883 you can see
where Apache Cassandra never chose to use log4j2 (preferring logback
instead), and thus is not, and has never been, vulnerable to this RCE.
Kind Regards,
Brandon
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
For additional commands, e-mail: dev-help@cassandra.apache.org
RE: Recent log4j vulnerability
Posted by "Steinmaurer, Thomas" <th...@dynatrace.com.INVALID>.
Would 3.11 be considered as well? This would also then keep (stupid/static) sec scans silent in regard to https://nvd.nist.gov/vuln/detail/CVE-2017-5929
Thanks
-----Original Message-----
From: J. D. Jordan <je...@gmail.com>
Sent: Dienstag, 14. Dezember 2021 16:27
To: dev@cassandra.apache.org
Subject: Re: Recent log4j vulnerability
Doesn’t hurt to upgrade. But no exploit there as far as I can see? If someone can update your config files to point them to JNDI, you have worse problems than that. Like they can probably update your config files to just completely open up JMX access or what ever also.
> On Dec 14, 2021, at 9:17 AM, Brandon Williams <dr...@gmail.com> wrote:
>
> The POC seems to require the attacker be able to upload a file that
> overwrites the configuration, with hot reloading enabled. We do have
> hot reloading enabled but there's no inherent way to overwrite the
> config.
>
> That said with logback currently at 1.2.3 (in trunk), perhaps we
> should consider an upgrade for safety.
>
>> On Tue, Dec 14, 2021 at 8:50 AM Steinmaurer, Thomas
>> <th...@dynatrace.com.invalid> wrote:
>>
>> Any thoughts what the logback folks have been filed here?
>> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjir
>> a.qos.ch%2Fbrowse%2FLOGBACK-1591&data=04%7C01%7Cthomas.steinmaure
>> r%40dynatrace.com%7C3c8fc229b1ae41d67d3908d9bf177d1a%7C70ebe3a35b3043
>> 5d9d677716d74ca190%7C1%7C0%7C637750929883113638%7CUnknown%7CTWFpbGZsb
>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D
>> %7C3000&sdata=Y2uKdA2lBJui3eOgv6NxDsA4P3knHmQnKDQfHbJXjPY%3D&
>> reserved=0
>>
>> Thanks!
>>
>> -----Original Message-----
>> From: Brandon Williams <dr...@gmail.com>
>> Sent: Sonntag, 12. Dezember 2021 18:56
>> To: dev@cassandra.apache.org
>> Subject: Recent log4j vulnerability
>>
>> I replied to a user- post about this, but thought it was worth repeating it here.
>>
>> In https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCASSANDRA-5883&data=04%7C01%7Cthomas.steinmaurer%40dynatrace.com%7C3c8fc229b1ae41d67d3908d9bf177d1a%7C70ebe3a35b30435d9d677716d74ca190%7C1%7C0%7C637750929883113638%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=xNXgCyJwyqNmNQ375upcg5JK4cv%2F6up25btbVyqxqp8%3D&reserved=0 you can see where Apache Cassandra never chose to use log4j2 (preferring logback instead), and thus is not, and has never been, vulnerable to this RCE.
>>
>> Kind Regards,
>> Brandon
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
>> For additional commands, e-mail: dev-help@cassandra.apache.org
>>
>> This email may contain confidential information. If it appears this message was sent to you by mistake, please let us know of the error. In this case, we also ask that you do not further forward the content and delete it. Thank you for your cooperation and understanding. Dynatrace Austria GmbH (registration number FN 91482h) is a company registered in Linz whose registered office is at 4020 Linz, Austria, Am Fünfundzwanziger Turm 20.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
>> For additional commands, e-mail: dev-help@cassandra.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: dev-help@cassandra.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
For additional commands, e-mail: dev-help@cassandra.apache.org
This email may contain confidential information. If it appears this message was sent to you by mistake, please let us know of the error. In this case, we also ask that you do not further forward the content and delete it. Thank you for your cooperation and understanding. Dynatrace Austria GmbH (registration number FN 91482h) is a company registered in Linz whose registered office is at 4020 Linz, Austria, Am Fünfundzwanziger Turm 20.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
For additional commands, e-mail: dev-help@cassandra.apache.org
Re: Recent log4j vulnerability
Posted by "J. D. Jordan" <je...@gmail.com>.
Doesn’t hurt to upgrade. But no exploit there as far as I can see? If someone can update your config files to point them to JNDI, you have worse problems than that. Like they can probably update your config files to just completely open up JMX access or what ever also.
> On Dec 14, 2021, at 9:17 AM, Brandon Williams <dr...@gmail.com> wrote:
>
> The POC seems to require the attacker be able to upload a file that
> overwrites the configuration, with hot reloading enabled. We do have
> hot reloading enabled but there's no inherent way to overwrite the
> config.
>
> That said with logback currently at 1.2.3 (in trunk), perhaps we
> should consider an upgrade for safety.
>
>> On Tue, Dec 14, 2021 at 8:50 AM Steinmaurer, Thomas
>> <th...@dynatrace.com.invalid> wrote:
>>
>> Any thoughts what the logback folks have been filed here?
>> https://jira.qos.ch/browse/LOGBACK-1591
>>
>> Thanks!
>>
>> -----Original Message-----
>> From: Brandon Williams <dr...@gmail.com>
>> Sent: Sonntag, 12. Dezember 2021 18:56
>> To: dev@cassandra.apache.org
>> Subject: Recent log4j vulnerability
>>
>> I replied to a user- post about this, but thought it was worth repeating it here.
>>
>> In https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCASSANDRA-5883&data=04%7C01%7Cthomas.steinmaurer%40dynatrace.com%7C8016a1aeed8c4589cbe408d9bd9a0920%7C70ebe3a35b30435d9d677716d74ca190%7C1%7C0%7C637749291586596208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0klDN4WmFkt876OCsXL%2FX%2FUXa%2FrsxmwCKFgmnP4Lctw%3D&reserved=0 you can see where Apache Cassandra never chose to use log4j2 (preferring logback instead), and thus is not, and has never been, vulnerable to this RCE.
>>
>> Kind Regards,
>> Brandon
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
>> For additional commands, e-mail: dev-help@cassandra.apache.org
>>
>> This email may contain confidential information. If it appears this message was sent to you by mistake, please let us know of the error. In this case, we also ask that you do not further forward the content and delete it. Thank you for your cooperation and understanding. Dynatrace Austria GmbH (registration number FN 91482h) is a company registered in Linz whose registered office is at 4020 Linz, Austria, Am Fünfundzwanziger Turm 20.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
>> For additional commands, e-mail: dev-help@cassandra.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: dev-help@cassandra.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
For additional commands, e-mail: dev-help@cassandra.apache.org
Re: Recent log4j vulnerability
Posted by Brandon Williams <dr...@gmail.com>.
The POC seems to require the attacker be able to upload a file that
overwrites the configuration, with hot reloading enabled. We do have
hot reloading enabled but there's no inherent way to overwrite the
config.
That said with logback currently at 1.2.3 (in trunk), perhaps we
should consider an upgrade for safety.
On Tue, Dec 14, 2021 at 8:50 AM Steinmaurer, Thomas
<th...@dynatrace.com.invalid> wrote:
>
> Any thoughts what the logback folks have been filed here?
> https://jira.qos.ch/browse/LOGBACK-1591
>
> Thanks!
>
> -----Original Message-----
> From: Brandon Williams <dr...@gmail.com>
> Sent: Sonntag, 12. Dezember 2021 18:56
> To: dev@cassandra.apache.org
> Subject: Recent log4j vulnerability
>
> I replied to a user- post about this, but thought it was worth repeating it here.
>
> In https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCASSANDRA-5883&data=04%7C01%7Cthomas.steinmaurer%40dynatrace.com%7C8016a1aeed8c4589cbe408d9bd9a0920%7C70ebe3a35b30435d9d677716d74ca190%7C1%7C0%7C637749291586596208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0klDN4WmFkt876OCsXL%2FX%2FUXa%2FrsxmwCKFgmnP4Lctw%3D&reserved=0 you can see where Apache Cassandra never chose to use log4j2 (preferring logback instead), and thus is not, and has never been, vulnerable to this RCE.
>
> Kind Regards,
> Brandon
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: dev-help@cassandra.apache.org
>
> This email may contain confidential information. If it appears this message was sent to you by mistake, please let us know of the error. In this case, we also ask that you do not further forward the content and delete it. Thank you for your cooperation and understanding. Dynatrace Austria GmbH (registration number FN 91482h) is a company registered in Linz whose registered office is at 4020 Linz, Austria, Am Fünfundzwanziger Turm 20.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: dev-help@cassandra.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
For additional commands, e-mail: dev-help@cassandra.apache.org
RE: Recent log4j vulnerability
Posted by "Steinmaurer, Thomas" <th...@dynatrace.com.INVALID>.
Any thoughts what the logback folks have been filed here?
https://jira.qos.ch/browse/LOGBACK-1591
Thanks!
-----Original Message-----
From: Brandon Williams <dr...@gmail.com>
Sent: Sonntag, 12. Dezember 2021 18:56
To: dev@cassandra.apache.org
Subject: Recent log4j vulnerability
I replied to a user- post about this, but thought it was worth repeating it here.
In https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCASSANDRA-5883&data=04%7C01%7Cthomas.steinmaurer%40dynatrace.com%7C8016a1aeed8c4589cbe408d9bd9a0920%7C70ebe3a35b30435d9d677716d74ca190%7C1%7C0%7C637749291586596208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0klDN4WmFkt876OCsXL%2FX%2FUXa%2FrsxmwCKFgmnP4Lctw%3D&reserved=0 you can see where Apache Cassandra never chose to use log4j2 (preferring logback instead), and thus is not, and has never been, vulnerable to this RCE.
Kind Regards,
Brandon
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
For additional commands, e-mail: dev-help@cassandra.apache.org
This email may contain confidential information. If it appears this message was sent to you by mistake, please let us know of the error. In this case, we also ask that you do not further forward the content and delete it. Thank you for your cooperation and understanding. Dynatrace Austria GmbH (registration number FN 91482h) is a company registered in Linz whose registered office is at 4020 Linz, Austria, Am Fünfundzwanziger Turm 20.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
For additional commands, e-mail: dev-help@cassandra.apache.org