Potential impacts of log4shell on logback

Cantor, Scott cantor.2 at osu.edu
Wed Dec 15 19:22:19 UTC 2021


There's a public update to the logging library we do use, logback, in response to an issue "sort of like" the log4j vulnerabilities (there are 2 now) but quite different in kind.

http://logback.qos.ch/news.html
https://jira.qos.ch/browse/LOGBACK-1591

We have reviewed that material and the take away (theirs and ours) is that this is not a remote code execution issue like the log4j issues were, so it's very different in risk. Basically they're noting that they have some JNDI support also, and if you configure it explicitly, it can be exploited. To make this an attack, you'd have to actually have access to update the logging file (which does reload by default) to enable the feature. That's not exactly a remote attack obviously.

They're already walking back the initial patch to logback and our judgement is that it's not warranting a patch until things settle and they ship a change they're happy with. At that point it's probably worth a patch as a due diligence thing since we don't have any other updates imminent at the moment.

What is evident is:

* It's nuts to enable their JNDI support so if you did that, take it out. This is pretty obvious to begin with.

* Hygiene is always good. Ideally the IdP should run under an account without write or chmod access to the config files, which is also just "mom and apple pie" security, even though lots of us don't follow it. Probably worth a look at that if you've been lax about it, but it's nothing the software dictates.

* If you don't need it, feel free to just turn off reloading of the logging configuration (via services.properties). We default that way simply because it's extremely useful.

TL;DR: We're not shipping a patch right this minute but once things settle we probably will make a release available along with any other hardening that seems appropriate, and there are certainly lessons to take away already, as above.

If anything changes, obviously we will review. If we have to ship a patch, we can do that without much notice until the holiday, but we'll try and see about coverage next week in case we have to.

-- Scott




More information about the announce mailing list