Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Log4J, JNDI, LDAP: JDK Changes Archeology

Log4J, JNDI, LDAP: JDK Changes Archeology

DISCLAIMER #1: THIS GIST IS INFORMATIONAL ONLY AND NOT A COMPLETE SECURITY GUIDANCE. Use this data with care, and please recheck the commits if you want to cite them as the source.

DISCLAIMER #2: JDK MITIGATIONS ARE NOT THE WHOLE STORY. THE REAL FIX IS IN LOG4J, UPGRADE TO AT LEAST 2.15.0 OR SET log4j2.formatMsgNoLookups=true. There might be more vectors than these mitigations cover. JDK mitigations shrink the attack surface, but they are not guaranteed to solve everything. I only checked this mitigates a few simple proof-of-concepts.

TL;DR: Use JDK update releases that are less than 3 years old, and all known mitigations are there. Only old versions from 8u and 11u release trains seem to have no mitigations. If you have 8u or 11u JDKs that old, update both Log4J (first) and JDK (second).

8158997: JNDI Protocols Switch

Pushed: Oct 6, 2016

Two commits: - https://github.com/openjdk/jdk/commit/7a1887e91ce50162dc6c89449f290ee34b28b9b0 - https://github.com/openjdk/jdk/commit/7007b4d6f21912f4ef6e8c958ddf86ea71c3e494

These commits introduce: - com.sun.jndi.cosnaming.object.trustURLCodebase = false - com.sun.jndi.rmi.object.trustURLCodebase = false

Releases:

8u121 is the part of coordinated security release on January 17, 2017. 8u161 is the part of coordinated security release on January 16, 2018.

8199177: Enhance JNDI lookups

Pushed: Jun 8, 2018

One commit: - https://github.com/openjdk/jdk/commit/309ace52859d889f8c0f27adeb161c646d9b4a51

Introduces: - com.sun.jndi.ldap.object.trustURLCodebase = false

Releases:

Both JDK 11.0.1 and 8u191 are the part of the coordinated security release on October 16, 2018.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment