Details
-
Improvement
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
3.0.26, 3.11.12, 4.0.2, 4.1-alpha1, 4.1
-
None
-
Operability
-
Low Hanging Fruit
-
All
-
None
-
Description
Logback 1.2.8 has been released with a fix for a potential vulnerability in its JNDI lookup.
14th of December, 2021, Release of version 1.2.8
We note that the vulnerability mentioned in LOGBACK-1591 requires write access to logback's configuration file as a prerequisite.
- • In response to LOGBACK-1591, we have disabled all JNDI lookup code in logback until further notice. This impacts ContextJNDISelector and <insertFromJNDI> element in configuration files.
- Also in response to LOGBACK-1591, we have removed all database (JDBC) related code in the project with no replacement.
We note that the vulnerability mentioned in LOGBACK-1591 requires write access to logback's configuration file as a prerequisite. A successful RCE requires all of the following to be true:
- write access to logback.xml
- use of versions < 1.2.8
- reloading of poisoned configuration data, which implies application restart or scan="true" set prior to attack
Therefore and as an additional precaution, in addition to upgrading to version 1.2.8, we also recommend users to set their logback configuration files as read-only.
This is not as bad as CVE-2021-44228 in Log4j <2.15.0 (Log4Shell), but should probably be fixed anyway.
Attachments
Issue Links
- causes
-
CASSANDRA-18002 Update NetBeans project file for dependency changes since 7th July 2021
-
- Resolved
-