Details
-
Task
-
Resolution: Fixed
-
Major
-
13.10.1
-
None
Description
See https://logback.qos.ch/news.html
1.2.10
• ContextInitializer no longer complains about missing logback.groovy configuration file. This fixes LOGBACK-1601.
1.2.9
We note that the vulnerability mentioned in CVE-2021-42550 requires write access to logback's configuration file as a prerequisite. Please understand that log4Shell and CVE-2021-42550 are of different severity levels.
In response to CVE-2021-42550 (aka LOGBACK-1591) we have decided to make the following steps.
1) Hardened logback's JNDI lookup mechanism to only honor requests in the java: namespace. All other types of requests are ignored. Many thanks to Michael Osipov for suggesting this change and providing the relvant PR.
2) SMTPAppender was hardened.
3) Temporarily removed DB support for security reasons.
4) Removed Groovy configuration support. As logging is so pevasive and configuration with Groovy is probably too powerful, this feature is unlikely to be reinstated for security reasons.
We note that the aforementioned vulnerability requires write access to logback's configuration file as a prerequisite. Please understand that log4Shell/CVE-2021-44228 and CVE-2021-42550 are of different severity levels. A successul RCE attack with CVE-2021-42550 requires all of the following conditions to be met:
write access to logback.xml
use of versions < 1.2.9
reloading of poisoned configuration data, which implies application restart or scan="true" set prior to attack
As an additional extra precaution, in addition to upgrading to logback version 1.2.9, we also recommend users to set their logback configuration files as read-only.
1.2.8
• In response to CVE-2021-42550 and LOGBACK-1591 we have decided to make the following steps.
1) we have disabled all JNDI lookup code in logback until further notice. This impacts ContextJNDISelector and <insertFromJNDI> element in configuration files.
2) we have removed all database (JDBC) related code in the project with no replacement.
In response to LOGBACK-1591, we have disabled all JNDI lookup code in logback until further notice. This impacts ContextJNDISelector and <insertFromJNDI> element in configuration files.
• Also in response to LOGBACK-1591, we have removed all database (JDBC) related code in the project with no replacement.
We note that the vulnerability mentioned in LOGBACK-1591 requires write access to logback's configuration file as a prerequisite. Please understand that log4Shell/CVE-2021-44228 and LOGBACK-1591 are of utterly different severity levels. A successul RCE requires all of the following to be true:
write access to logback.xml
use of versions < 1.2.8
reloading of poisoned configuration data, which implies application restart or scan="true" set prior to attack
As an additional extra precaution, in addition to upgrading to logback version 1.2.8, we also recommend users to set their logback configuration files as read-only.
We note that the vulnerability mentioned in LOGBACK-1591 requires write access to logback's configuration file as a prerequisite. Please understand that log4Shell/CVE-2021-44228 and LOGBACK-1591 are of utterly different severity levels.