1

We're currently trying to prioritize our mitigations for CVE-2021-44228.

The obvious priority is to deal with any Internet facing java (apache?) applications that use a vulnerable log4j library and\or Java binary first.

For multi-user Linux systems, where users may be able to execute any arbitrary Java stack, is this less of a concern. In other words, is this exploit dependent upon the effective permissions of the account that is running Java\log4j or does it provide and intrinsic way to obtain privilege escalation.

My admin experience tells me, that any remote code execution is going to be bound by the execution context (e.g. permissions) within which the exposed service or application is operating. If user bob only has write permissions within their home directory, the assumption is that there would be no major systemic effect. (Of course bob might be doing something like mounting a file share where he has full rights to sensitive.corporate.data/allyourbase or something--so yeah, it depends, but I digress).

Is anyone willing to share their thoughts (or point to reputable sources that provide insight) on how the effective permissions of the vulnerable service\process\application impact the recent log4j exploit.

Another question about service permissions was suggested, but the only response is somewhat subjective and doesn't offer any insight into:

  1. Does CVE-2021-44228 include privilege escalation capabilities, regardless of execution context?

  2. Is it accurate to say that there is a definite correlation between the execution context of the vulnerable Java stack and the effective severity (potentially a significant reduction in severity)?

  3. Ultimately, the determination needs to come from the maintainers, but if anyone with willing to share any reputable sources, POCs, tests, demos that prove or disprove the impact of execution context I think it would be a huge help for admins like me currently dealing with the ramped uncertainty.

  • 4
    I think this is a duplicate to [At which OS privilege level log4j usually runs?](https://security.stackexchange.com/questions/257992/at-which-os-privilege-level-log4j-usually-runs). In short: the exploit runs with the same permissions as the Java application exploited. – Steffen Ullrich Dec 15 '21 at 19:24
  • 1
    Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community Dec 15 '21 at 20:56
  • Apologies, I assumed I had not yet earned the ability to comment. I have added some more specificity to differentiate this question from the related thread. – BradleyMorgan Dec 15 '21 at 22:15

0 Answers0