Skip to main content



Log4J JNDI Vulnerability

 

This post is an extension of https://techdevins.blogspot.com/2021/09/solving-jenkins-maven-build-xray-log4j.html
Apart from fix that was discussed in https://techdevins.blogspot.com/2021/09/solving-jenkins-maven-build-xray-log4j.html. It is required to upgrade Log4J to 2.15.0 or above due to JNDI attack. 

Refer below figure to understand the deserialization of untrusted data which can be exploited to remotely execute arbitrary code.




There are certain posts which suggest to set below property 
  • log4j2.formatMsgNoLookups
But, that's serious vulnerability, you shouldn't contemplate these workarounds and upgrade Log4j jars. Refer https://logging.apache.org/log4j/2.x/security.html

"A new CVE (CVE-2021-45046, see above) was raised for this.

Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.

The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.

The safest thing to do is to upgrade Log4j to a safe version, or remove the JndiLookup class from the log4j-core jar."

Comments

Post a Comment

Popular posts

Spring MongoDB Rename field with derived Value of another field

Input Collection -  [ { 'k' : 'Troubleshooting' , 'hour' : '2024-10-10T16' , 'v' : [ 'WebPage, Login' ] }, { 'k' : 'TroubleshootingMe' , 'hour' : '2024-10-07T01' , 'v' : [ 'Accounts, etc' ] }  ] Expected Output -  [ { 'hour' : '2024-10-10T16' , 'Troubleshooting' : [ 'WebPage, Login' ] }, { 'hour' : '2024-10-07T01' , 'TroubleshootingMe' : [ 'Accounts, etc' ] }  ]   Above Can be achieved by  $replaceRoot / $replaceWith as follows - { $replaceWith : { $mergeObjects : [ { hour : "$hour" }, { "$arrayToObject" : [ [ { k : "$k" , v : "$v" } ] ] } ] } } or { $replaceRoo...
Post a Comment
Read more




Spark MongoDB Connector Not leading to correct count or data while reading

  We are using Scala 2.11 , Spark 2.4 and Spark MongoDB Connector 2.4.4 Use Case 1 - We wanted to read a Shareded Mongo Collection and copy its data to another Mongo Collection. We noticed that after Spark Job successful completion. Output MongoDB did not had many records. Use Case 2 -  We read a MongoDB collection and doing count on dataframe lead to different count on each execution. Analysis,  We realized that MongoDB Spark Connector is missing data on bulk read as a dataframe. We tried various partitioner, listed on page -  https://www.mongodb.com/docs/spark-connector/v2.4/configuration/  But, none of them worked for us. Finally, we tried  MongoShardedPartitioner  this lead to constant count on each execution. But, it was greater than the actual count of records on the collection. This seems to be limitation with MongoDB Spark Connector. But,  MongoShardedPartitioner  seemed closest possible solution to this kind of situation. But, it per...
Post a Comment
Read more




Experience with MongoDB and Optimizations

  Experience with MongoDB and Optimizations Before reading below. I would like to point out that this  experience  is related to version  6.0.14-ent, having 6 shards, each shard having 3 machines, each machine is VM with 140 GB RAM and 2TB SSD. And, we had been hosting almost 36 TB of data. MongoDB is not good with Big Data Joins and/ or Big Data OLAP processing. It is mainly meant for OLTP purposes.  Instead of joining millions of keys between 2 collections. It is better to lookup data of one key from one collection then lookup it in other collection. Thus, merging data from 2 collection for same key. Its better to keep De-normalized data in one document.  Updating a document later is cumbersome.  MongoDB crash if data is overloaded. And, it has long downtime if crashed unlike other databases which fails write to database if disk space achieves certain limit. Thus, keeping database active and running for read traffic. MongoDB needs indexes for fast qu...
Post a Comment
Read more




Spring MongoDB Log Connection Pool Details - Active, Used, Waiting

  We couldn't find any direct way to log Mongo Connection pool Size. So, we did implement an indirect way as below.  This may be incorrect at times when dealing with Sharded MongoDB having Primaty & Secondary nodes. Because, connection may be used based on read prefrence - Primary, primaryPreferred, Secondary, etc. But, this gives an understanding if connections are used efficiently and there is no wait to acquire connections from pool. This can be further enhanced to log correct connection pool statistics.  1) Implement  MyConnectionPoolListener  as below -  import java.util.concurrent.atomic.AtomicInteger; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.mongodb.event.ConnectionCheckOutFailedEvent; import com.mongodb.event.ConnectionCheckOutStartedEvent; import com.mongodb.event.ConnectionCheckedInEvent; import com.mongodb.event.ConnectionCheckedOutEvent; import com.mongodb.event.ConnectionClosedEvent; import com.mongodb.event.Conne...
Post a Comment
Read more




Spark Streaming with Kafka Leading to increase in Open File Descriptors ( Kafka )

  Open File Descriptors w.r.t Kafka brokers relates with following -  number of file descriptors to just track log segment files. Additional file descriptors to communicate via network sockets with external parties (such as clients, other brokers, Zookeeper, and Kerberos). For # 1 this is formula -  (number of partitions)*(partition size / segment size) Reference -  https://docs.cloudera.com/cdp-private-cloud-base/7.1.6/kafka-performance-tuning/topics/kafka-tune-broker-syslevel-file-descriptors.html For #2, every connection made my consumer or producer or zookeeper or  Kerberos  opens file descriptors. Note that each TCP connection creates 2 file descriptors. These connections can be for internal communication of heartbeat, or  security handshake , or data transfer to or from client (producer or consumer) When we run a Spark application integrating it with  Kafka . And, if it is not stable, meaning -  Streaming window for micro batches is les...
Post a Comment
Read more