Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 828657 - dev-java/log4j: remote code execution
Summary: dev-java/log4j: remote code execution
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/apache/logging-log...
Whiteboard: C1 [glsa?]
Keywords:
Depends on: 829192
Blocks: CVE-2021-4104
  Show dependency tree
 
Reported: 2021-12-10 02:36 UTC by John Helmert III
Modified: 2022-05-04 14:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-10 02:36:54 UTC
https://www.lunasec.io/docs/blog/log4j-zero-day/

Remote code execution exists in log4j where untrusted input is logged. Patch at URL.

POC: https://github.com/tangxiaofeng7/apache-log4j-poc

Fix appears to be in 2.15.0, please bump.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-10 05:58:11 UTC
I think this only affects 2.x.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-10 15:54:43 UTC
(In reply to Sam James from comment #1)
> I think this only affects 2.x.

https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126

"Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. [snip] CORRECTION: log4j 1.x contains a JMS Appender which can use JNDI. So I would say that, yes, log4j 1.x is also impacted by this vulnerability (Thank you @garydgregory for pointing this out)."
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-15 00:19:50 UTC
(In reply to John Helmert III from comment #2)
> (In reply to Sam James from comment #1)
> > I think this only affects 2.x.
> 
> https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
> 
> "Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. [snip]
> CORRECTION: log4j 1.x contains a JMS Appender which can use JNDI. So I would
> say that, yes, log4j 1.x is also impacted by this vulnerability (Thank you
> @garydgregory for pointing this out)."

Well, seems like the impact in 1.x is limited to DoS (maybe?) based on https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-15 00:24:22 UTC
(In reply to John Helmert III from comment #3)
> (In reply to John Helmert III from comment #2)
> > (In reply to Sam James from comment #1)
> > > I think this only affects 2.x.
> > 
> > https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
> > 
> > "Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. [snip]
> > CORRECTION: log4j 1.x contains a JMS Appender which can use JNDI. So I would
> > say that, yes, log4j 1.x is also impacted by this vulnerability (Thank you
> > @garydgregory for pointing this out)."
> 
> Well, seems like the impact in 1.x is limited to DoS (maybe?) based on
> https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301.

Actually, RCE in non-default configuration: https://www.openwall.com/lists/oss-security/2021/12/13/1
Comment 5 Volkmar W. Pogatzki 2022-04-06 06:13:09 UTC
The affected package is last-rited, see https://bugs.gentoo.org/829192#c1
Comment 6 Larry the Git Cow gentoo-dev 2022-05-04 08:15:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e55b6f037bdb41eae1559ecb953865d39a71105e

commit e55b6f037bdb41eae1559ecb953865d39a71105e
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-05-04 08:11:29 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-05-04 08:13:46 +0000

    dev-java/log4j: treeclean
    
    Bug: https://bugs.gentoo.org/828657
    Bug: https://bugs.gentoo.org/719146
    Bug: https://bugs.gentoo.org/829192
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 dev-java/log4j/Manifest               |  1 -
 dev-java/log4j/log4j-1.2.17-r3.ebuild | 70 -----------------------------------
 dev-java/log4j/metadata.xml           | 12 ------
 profiles/package.mask                 |  6 ---
 4 files changed, 89 deletions(-)