In January 2022, Apache disclosed three vulnerabilities impacting Log4j 1.x versions.
Full disclosure: Log4j 1.x is an end-of-life product anyway, as of August 2015, and the recommended advice has always been to be on a safe log4j 2.x version. But, buried in these CVE disclosures is a critical Apache Chainsaw vulnerability that has been analyzed below.
To summarize quickly, the three CVEs disclosed this week are:
[Sonatype's CVSS rating: 9.8 / Critical]
[Sonatype's CVSS score: 9.8 / Critical]
[Sonatype's CVSS score: 7.2 / High]
The term Chainsaw RCE vulnerability refers to a security flaw in software that allows an attacker to execute code (hence, "RCE" stands for "Remote Code Execution") on a computer or system. It's like giving a hacker the power to control your computer from afar.
On peeking inside one of the Log4j 1.x JARs using "tar -tvf," one can trivially spot the presence of Chainsaw classes:
On decompiling one of these classes, LoggingReceiver.class, the code responsible for untrusted deserialization surfaces within the run() method of its Slurper nested class:
Line 54 is where the Serializable interface's readObject() method is invoked without verifying the object type or restricting deserialization to only certain types of objects. As a result, an attacker who is able to send a malicious payload to the vulnerable Log4j 1.x version can trigger arbitrary code execution.
A vulnerability like this one can lead to data breaches, unauthorized access, and various other security problems. As such, you need to patch or fix these vulnerabilities as soon as they are discovered to protect your system from potential attacks.
With Log4j 1.x being impacted, a natural question that arises is if Logback is also impacted by these vulnerabilities. After all, Logback is a successor to Log4j, "picking up where log4j 1.x leaves off."
Firstly, there is no indication that Logback utilizes Apache Chainsaw.
Secondly, my sharp-eyed colleague Ankita Lamba, Senior Security Researcher, noticed that starting with logback 1.2.0, the project had implemented its own "hardened" object input stream to throw exceptions for invalid serialized objects it may parse.
The placement of these HardenedAccessEventInputStream objects in versions 1.2.0 and above, replacing the ObjectInputStream instances, largely mitigates the untrusted deserialization issue.
Thankfully, logback versions prior to 1.2.0 are known to be vulnerable to CVE-2017-5929.
As mentioned above, Log4j 1.x versions have been end-of-life for quite some time now. As such, upgrading to the latest Log4j 2.x version is the recommended upgrade route.
Sonatype customers using next-generation Sonatype Intelligence-powered products, such as IQ, can rest easy as security data pursuant to CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307 has been made available in our products with extensive detection capabilities (i.e. deep binary scanning) and dependable remediation guidance.
Additionally, CVEs and Sonatype-identified vulnerabilities applicable to all Log4j (1.x, 2.x) and 'logback' versions are available in IQ:
Finally, even if you aren't using any of Sonatype's products, Sonatype offers a free vulnerability scanner you can download or use online. The report will detail the usage of all vulnerable versions of Log4j in your repositories.