CVE-2024-12798
Denial of Service (DoS) vulnerability in logback-core (Maven)
What is CVE-2024-12798 About?
This vulnerability in cryptography.hazmat leads to a NULL-pointer dereference and segfault when calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` with malformed input. This allows an attacker to trigger a Denial of Service, which can be achieved with simple, specially crafted input.
Affected Software
- ch.qos.logback:logback-core
- <1.3.15
- >1.4.0, <1.5.13
Technical Details
The vulnerability is a NULL-pointer dereference that occurs within the cryptography library's hazmat.primitives.serialization.pkcs7 module. Specifically, when the functions load_pem_pkcs7_certificates or load_der_pkcs7_certificates are invoked with specially crafted, malformed PKCS7 data (either PEM or DER encoded), the internal parsing logic attempts to access memory via a NULL pointer. This invalid memory access causes the process to crash with a segmentation fault, leading to a Denial of Service. The provided Proof-of-Concept shows that even a minimal, invalid PKCS7 structure (e.g., MAsGCSqGSIb3DQEHAg== in PEM or \x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02 in DER) is sufficient to trigger the crash.
What is the Impact of CVE-2024-12798?
Successful exploitation may allow attackers to halt the application or service, disrupting its availability and stability, by forcing a crash whenever it attempts to deserialize a malicious PKCS7 blob or certificate.
What is the Exploitability of CVE-2024-12798?
Exploitation is straightforward and has low complexity. It typically requires the attacker to be able to supply malformed PKCS7 data to an application that uses the vulnerable cryptography library functions. No authentication or special privileges are needed beyond the ability to interact with the service endpoint that processes PKCS7 certificates. This can be either a remote or local vulnerability, depending on how PKCS7 data is received by the application (e.g., via network requests, file uploads, or local process communication). The primary prerequisite is the application's use of the specific load_pem_pkcs7_certificates or load_der_pkcs7_certificates functions. The risk factors that increase exploitation likelihood include applications that process untrusted PKCS7 data from external sources, especially those that are publicly exposed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-12798?
About the Fix from Resolved Security
This patch removes Janino-based expression evaluation functionality (specifically JaninoEventEvaluator and its usage), which was vulnerable to arbitrary code execution as described in CVE-2024-12798. By eliminating this feature, users can no longer provide attacker-controlled expressions that Janino would compile and run as code, thus preventing exploitation of this critical code-injection vector.
Available Upgrade Options
- ch.qos.logback:logback-core
- <1.3.15 → Upgrade to 1.3.15
- ch.qos.logback:logback-core
- >1.4.0, <1.5.13 → Upgrade to 1.5.13
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://logback.qos.ch/news.html#1.3.15
- https://osv.dev/vulnerability/GHSA-pr98-23f8-jwxv
- https://logback.qos.ch/news.html#1.3.15
- https://logback.qos.ch/news.html#1.5.13
- https://nvd.nist.gov/vuln/detail/CVE-2024-12798
- https://github.com/qos-ch/logback
- https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183
- https://logback.qos.ch/news.html#1.5.13
What are Similar Vulnerabilities to CVE-2024-12798?
Similar Vulnerabilities: CVE-2021-3449 , CVE-2020-1971 , CVE-2019-1559 , CVE-2019-1549 , CVE-2016-7052
