[jfoutz]

I've just started looking, and I'm not an expert.

The key point here is log4j can get configuration a lot of different ways, including a network request. Based on https://logging.apache.org/log4j/2.x/manual/configuration.ht... control over dns would let you rewrite sections of config, and thus run arbitrary code.

So, if you've got some access, this would allow you to escalate that access to a full RCE. I think that's why it's only Medium severity.

[alfiedotwtf]

Holy moly, how was that ever a good idea. Just like routers being able to be configured via the manufacturer's website, config by someone other than you seems like a big red flag

[jfoutz]

well log4j will be old enough to drink in a few weeks (January 8, 2001). It's way older than bcfg2 or ansible, chef, puppet, etc. I'm not sure when the functionality was added. I'd bet it was the bees knees at the time.

[mschuster91]

Log4j v2 (which was the first version to support plugins and lookups) was released in 2014.

[jfoutz]

Wild. I guess the NSA black bag job at Google was 2013, which led to SSL everywhere. I guess most folks still had the hard and crunchy on the outside, soft and chewy model on the inside mindset. Time flies.

[mongol]

Sad that it should be retired now when it is coming of age.

[tailspin2019]

> including a network request

The wording in the CVE description of “an attacker with permission to modify the logging configuration file” really obscures that fact if that’s true.

That wording means something very specific to me (and I would assume many others) - my immediate assumption was that it refers to an actual file on disk on the machine running Log4j.

If it can load config over a network request - I feel like this would have been useful to point out in the description?

Unless this particular issue is just restricted to local file-based config?

Sadly it’s late here so I don’t have time to read up further right now. I’ll reserve that pleasure for tomorrow morning…!