A critical Arbitrary Code Execution (ACE) vulnerability has been discovered in the JaninoEventEvaluator component of QOS.CH's logback-core library, affecting all versions up to and including 1.5.12, in Java applications. This flaw allows an attacker to execute arbitrary code on the target system by either compromising an existing logback configuration file or by injecting a malicious environment variable before program execution.
Background
The JaninoEventEvaluator is an extension that allows users to write Java expressions for filtering log events dynamically. This evaluator is part of the logback-core library, which is a popular logging framework for Java applications developed by QOS.CH.
Exploit Details
The vulnerability lies in the way JaninoEventEvaluator handles logback configuration files and environment variables. An attacker can exploit this flaw in two ways:
1. By modifying an existing logback configuration file that uses the JaninoEventEvaluator extension with a malicious Java expression. To carry out this attack, the attacker must have write access to the targeted configuration file.
Assume an existing logback configuration file contains the following snippet
<evaluator>
<janinoEventEvaluator>
<expression>
// benign Java expression here
</expression>
</janinoEventEvaluator>
</evaluator>
An attacker with write access to this file could change the Java expression to include malicious code like this:
<evaluator>
<janinoEventEvaluator>
<expression>
// malicious Java code here
</expression>
</janinoEventEvaluator>
</evaluator>
2. By injecting a malicious environment variable into the target system before the program's execution that points to a new malicious logback configuration file containing a Java expression designed for arbitrary code execution.
Assume a new logback configuration file contains the following snippet
<evaluator>
<janinoEventEvaluator>
<expression>
// malicious Java code here
</expression>
</janinoEventEvaluator>
</evaluator>
With this file in place, the attacker could inject a malicious environment variable like this
export LOGBACK_CONFIG_FILE=path/to/malicious/logback.xml
In both scenarios, the attacker must have privileges to access the target system, either by write access to the configuration file or by injecting an environment variable.
Original References
- QOS.CH logback-core advisory
- JaninoEventEvaluator documentation
Mitigation
As a mitigation, users are advised to update their logback-core library to version 1.5.13 or later. In addition, application developers should restrict access to logback configuration files and ensure standard security practices are in place to prevent unauthorized modifications or injections of environment variables.
Conclusion
The ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core presents a significant risk to Java applications using this library with versions up to and including 1.5.12. The ability for an attacker to execute arbitrary code is a severe threat, and organizations are urged to promptly update their logback-core library and follow proper security measures to protect against this vulnerability.
Timeline
Published on: 12/19/2024 16:15:07 UTC