Apache Log4j RCE Zero day may affect current and historical versions of Ghidra #3736
Comments
|
probably LOG4J2-3201 |
|
Another useful reference for this vulnerability is GHSA-jfh8-c2jp-5v3q, including a (currently reserved) CVE number CVE-2021-44228. I haven't attempted a full exploit against ghidra, but I can confirm that logging a certain message is enough for ghidra to make a DNS request, and presumably attempt a connection. |
|
Note that, while the JNDI parser is responsible for the actual RCE (which is also what the CVE is about), the actual problem in most cases is that log4j lookups are parsed at all. You can test this by logging something like This has apparently been "fixed" in log4j 2.7, but it requires specifying Read more in the section "Disables Message Pattern Lookups" here: https://logging.apache.org/log4j/2.x/manual/configuration.html |
|
Poc Available Ghidra's vulnerable to log4j: __attribute__((__section__(".note.${jndi:ldap://127.0.0.1:1234/abc}")))
int a = 1;
int main(){}$ gcc hello.c Source: |
|
In addition, I also see other ways of exploiting this vulnerability. |
|
Thank you, we are working on upgrading to 2.15.0 today. |
|
For an immediate fix to your current Ghidra installation, replace:
with |
|
For log4j versions above 2.10 you should also be able to set the environment variable Just don't forget you have it set when testing the vulnerability on another application 😉 Edit: Note that the log4j documentation wrongly says |
|
Confirming that this also affects historical versions of Ghidra server in common configurations.
|
|
Ghidra 10.1 has been released and is available for download. We advise you upgrade immediately. |
|
According to the latest safety advice,upgrading to Log4j 2.16.0 is recommended. The fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations, resulting in a potential denial of service (DOS) attack. |
|
Apache just raised CVE-2021-45046 for it. |
|
The Please see Ghidra remote code injection in Log4j for more information and guidance. |
|
|
|
They updated the description and score of CVE-2021-45046
|
|
And CVE-2021-45105 had been raised a few days ago, even the Log4j 2.16.0 is affected
|
|
The |
|
Ghidra 10.1.1 has been released which includes log4j 2.17.0 |
@ryanmkurtz: There is a minor update to 2.17.1 for another CVE, but a lot less serious. I don't think it warrants a new release by itself, but it would be good if you could bump the version that is included when you build the next release of Ghidra: https://logging.apache.org/log4j/2.x/security.html Thanks. |
|
Ghidra has already been upgraded to log4j 2.17.1 by 2965c49. This will be included in the 10.1.2 release. |
Describe the bug
Worst Apache Log4j RCE Zero day Dropped on Internet
https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html
log4j versions affected by this affair:
2.0 <= Apache log4j2 <= 2.14.1
Ghidra include apache log4j 2.12.1 in current version,which is affected.Historical releases are also affected by this vulnerability.
ghidra/Ghidra/Framework/Generic/build.gradle
This vulnerability may affect the security of current and historical versions of Ghidra, especially servers exposed to public networks, and should be warned.
The text was updated successfully, but these errors were encountered: