<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 15.12.2021 20:14, Petr Simek wrote:<br>
</div>
<blockquote type="cite"
cite="mid:Pine.WNT.4.64.2112152011300.3148@oleum">On Wed, 15 Dec
2021, Jindroush wrote:
<br>
<br>
<blockquote type="cite">Cokoli. Proste prinuti tu knihovnu, at
neco stahne z internetu a spusti, pod pravy toho serveru.
Samozrejme se bude lisit kus od kusu, jak zavazne to
<br>
</blockquote>
<br>
Prinuti je v tomhle pripade silne slovo. Tu knihovnu snad psaly
opice
<br>
ze tam zadelaly funkci kdy se do pruchozich dat da vlozit povel ke
<br>
stazeni a spusteni kodu odkudkoliv. Navic presto ze tu funkci
nikdo moc
<br>
nepouziva tak je default zapnuta. Tohle mi na knihovnu pro
zpracovani
<br>
logu prijde jako naprosto uchylna vec.
</blockquote>
Tak jednoduchy to samozrejme neni, je to jako vzdy retezec
nedostatku ve flexibilnim, prakticky neotestovatelnem navrhu. Takze
tam nikdo nic "nezadelal", ale proste pres tu flexibilitu tato
vlastnost lze vyuzit.<br>
<br>
Log4j includes a Lookup mechanism that could be used to make
requests through special syntax in a format string. For example, it
can be used to request various parameters such as the version of the
Java environment via <em>${java:version}</em>, etc. Then, by
specifying the <em>jndi</em> key in the string, the Lookup
mechanism uses JNDI API. By default, all requests are done using the
prefix <em>java:comp/env/</em>; however, the authors implemented
the option of using a custom prefix by means of a colon symbol in
the key. This is where the vulnerability lies: if <em>jndi:<a class="moz-txt-link-freetext" href="ldap://">ldap://</a></em>
is used as the key, the request goes to the specified LDAP server.
Other communication protocols, such as LDAPS, DNS and RMI, can also
be used.
<pre class="moz-signature" cols="72">--
Jindroush <a class="moz-txt-link-rfc2396E" href="mailto:jindroush@seznam.cz"><jindroush@seznam.cz></a></pre>
</body>
</html>