joschiDec 14, 2021

There's a new Logback release fixing a security issue with JNDI lookups:
https://twitter.com/qos_ch/status/1470728596675248132

Don't despair and DO NOT PANIC. 🧵

RT @[email protected]

In response to a vulnerability report LOGBACK-1591, we have released logback version 1.2.8.

See http://logback.qos.ch/news.html for details

🐦🔗: https://twitter.com/qos_ch/status/1470728596675248132

qos_ch on Twitter

“In response to a vulnerability report LOGBACK-1591, we have released logback version 1.2.8. See https://t.co/kkO8qImCqj for details”

Twitter
Show threadjoschi
The vulnerability requires the attackers to be able to overwrite the Logback configuration file and add the vulnerable DBAppender and a manipulated JNDIConnectionSource to the configuration _and then_ either restart the application or let Logback reload with scan="true".
Dec 14, 2021 at 1:55pmMastodon Twitter Crossposter
Show threadjoschiDec 14, 2021
It's a magnitude less severe than CVE-2021-44228 in #log4j #log4j2 #Log4Shell which was exploitable in the default configuration up until Log4j 2.15.0.
Show threadjoschiDec 14, 2021

Link to the Logback configuration settings:
https://logback.qos.ch/manual/configuration.html#autoScan
https://logback.qos.ch/manual/appenders.html#DBAppender
https://logback.qos.ch/manual/appenders.html#JNDIConnectionSource

Vulnerability POC:
https://github.com/cn-panda/logbackRceDemo

Chapter 3: Configuration