0

I'm really struggeling with understanding CVE-2021-42550. Logback says:

A successul RCE attack with CVE-2021-42550 requires all of the following conditions to be met:

  1. write access to logback.xml
  2. use of versions < 1.2.9
  3. reloading of poisoned configuration data, which implies application restart or scan="true" set prior to attack.

As an additional extra precaution, in addition to upgrading to logback version 1.2.9, we also recommend users to set their logback configuration files as read-only.

But those conditions explain how one is using applications. It's nothing unusual. And if someone is able to change (configuration) files and the application is restarted, then something will change. But having an issue that big, that an attacker is able to do this, I really do not have to care about RCE via Logback - or do I? My system is captured anyways and it's over!

Okay, i cannot use some functionalities over Logback since they are disabled in 1.2.9 but I don't have to either since I have write access on the system.

Defining the abuse of functionalities requiring those conditions as vulnerability sounds a bit misleading to me.

user3240316
  • 11
  • 1
  • That's why its CVSS score is Medium... If one can meet those conditions without a full compromise of the system, then there can be a privilege escalation. You are making assumptions that those conditions always require higher levels of permissions. – schroeder Dec 22 '21 at 12:04
  • IF these conditions require higher levels of permission at my systems, am i fine? – DaniEll Dec 22 '21 at 12:16
  • @DaniEll I don't think you can put it that way. Logback recommends to set your configuration files to read-only. But if your application needs to write to your configuration file it should not require high privileges (like root) to do so, since you might need root privileges to run your application. In this case a better way to go would be to create a special user just to run the application and its resources without any permissions outside the context. – user3240316 Dec 22 '21 at 18:22

0 Answers0