In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Weakness
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Logback | Qos | * | 1.2.7 (including) |
| Logback | Qos | 1.3.0-alpha0 (including) | 1.3.0-alpha0 (including) |
| Logback | Qos | 1.3.0-alpha1 (including) | 1.3.0-alpha1 (including) |
| Logback | Qos | 1.3.0-alpha10 (including) | 1.3.0-alpha10 (including) |
| Logback | Qos | 1.3.0-alpha2 (including) | 1.3.0-alpha2 (including) |
| Logback | Qos | 1.3.0-alpha3 (including) | 1.3.0-alpha3 (including) |
| Logback | Qos | 1.3.0-alpha4 (including) | 1.3.0-alpha4 (including) |
| Logback | Qos | 1.3.0-alpha5 (including) | 1.3.0-alpha5 (including) |
| Logback | Qos | 1.3.0-alpha6 (including) | 1.3.0-alpha6 (including) |
| Logback | Qos | 1.3.0-alpha7 (including) | 1.3.0-alpha7 (including) |
| Logback | Qos | 1.3.0-alpha8 (including) | 1.3.0-alpha8 (including) |
| Logback | Qos | 1.3.0-alpha9 (including) | 1.3.0-alpha9 (including) |
| Red Hat Fuse 7.11 | RedHat | logback-classic | * |
| Red Hat Satellite 6.11 for RHEL 7 | RedHat | candlepin-0:4.1.13-1.el7sat | * |
| Red Hat Satellite 6.11 for RHEL 8 | RedHat | candlepin-0:4.1.13-1.el8sat | * |
| RHDM 7.12.1 | RedHat | logback-classic | * |
| RHPAM 7.12.1 | RedHat | logback-classic | * |
| Logback | Ubuntu | bionic | * |
| Logback | Ubuntu | esm-apps/bionic | * |
| Logback | Ubuntu | esm-apps/focal | * |
| Logback | Ubuntu | esm-apps/xenial | * |
| Logback | Ubuntu | focal | * |
| Logback | Ubuntu | hirsute | * |
| Logback | Ubuntu | impish | * |
| Logback | Ubuntu | kinetic | * |
| Logback | Ubuntu | lunar | * |
| Logback | Ubuntu | mantic | * |
| Logback | Ubuntu | trusty | * |
| Logback | Ubuntu | upstream | * |
| Logback | Ubuntu | xenial | * |
Potential Mitigations
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Related Attack Patterns
References
- http://logback.qos.ch/news.html
- http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
- http://seclists.org/fulldisclosure/2022/Jul/11
- https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf
- https://github.com/cn-panda/logbackRceDemo
- https://jira.qos.ch/browse/LOGBACK-1591
- https://security.netapp.com/advisory/ntap-20211229-0001/
- http://logback.qos.ch/news.html
- http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
- http://seclists.org/fulldisclosure/2022/Jul/11
- https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf
- https://github.com/cn-panda/logbackRceDemo
- https://jira.qos.ch/browse/LOGBACK-1591
- https://security.netapp.com/advisory/ntap-20211229-0001/