Log4J, JNDI, LDAP: JDK Changes Archeology

gistfile1.md

Log4J, JNDI, LDAP: JDK Changes Archeology

DISCLAIMER #1: THIS GIST IS INFORMATIONAL ONLY AND NOT A COMPLETE SECURITY GUIDANCE. Use this data with care, and please recheck the commits if you want to cite them as the source.

DISCLAIMER #2: JDK MITIGATIONS ARE NOT THE WHOLE STORY. THE REAL FIX IS IN LOG4J, UPGRADE TO AT LEAST 2.15.0 OR SET log4j2.formatMsgNoLookups=true. There might be more vectors than these mitigations cover. JDK mitigations shrink the attack surface, but they are not guaranteed to solve everything. I only checked this mitigates a few simple proof-of-concepts.

TL;DR: Use JDK update releases that are less than 3 years old, and all known mitigations are there. Only old versions from 8u and 11u release trains seem to have no mitigations. If you have 8u or 11u JDKs that old, update both Log4J (first) and JDK (second).

8158997: JNDI Protocols Switch

Pushed: Oct 6, 2016

Two commits: - https://github.com/openjdk/jdk/commit/7a1887e91ce50162dc6c89449f290ee34b28b9b0 - https://github.com/openjdk/jdk/commit/7007b4d6f21912f4ef6e8c958ddf86ea71c3e494

These commits introduce: - com.sun.jndi.cosnaming.object.trustURLCodebase = false - com.sun.jndi.rmi.object.trustURLCodebase = false

Releases:

• JDK 17: Inherits them from mainline (note changeset hashes are the same), so all JDK 17 are handled:

  • https://github.com/openjdk/jdk17u/commit/7a1887e91ce50162dc6c89449f290ee34b28b9b0
  • https://github.com/openjdk/jdk17u/commit/7007b4d6f21912f4ef6e8c958ddf86ea71c3e494

• JDK 15: Inherits them from mainline (note changeset hashes are the same), so all JDK 15 are handled:

  • https://github.com/openjdk/jdk15u/commit/7a1887e91ce50162dc6c89449f290ee34b28b9b0
  • https://github.com/openjdk/jdk15u/commit/7007b4d6f21912f4ef6e8c958ddf86ea71c3e494

• JDK 13: Inherits them from mainline (note changeset hashes are the same), so all JDK 13 are handled:

  • https://github.com/openjdk/jdk13u/commit/7a1887e91ce50162dc6c89449f290ee34b28b9b0
  • https://github.com/openjdk/jdk13u/commit/7007b4d6f21912f4ef6e8c958ddf86ea71c3e494

• JDK 11: Inherits it from mainline (note changeset hashes are the same), so all JDK 11 are handled:

  • https://github.com/openjdk/jdk11u/commit/7a1887e91ce50162dc6c89449f290ee34b28b9b0
  • https://github.com/openjdk/jdk11u/commit/7007b4d6f21912f4ef6e8c958ddf86ea71c3e494

• JDK 8:

  • First tag is jdk8u121-b06, so first fixed build is 8u121
    • https://github.com/openjdk/jdk8u/commit/b6dc699a4877e0803bfa8ad2580289fd69fb3937
  • First tag is jdk8u161-b01, so first fixed build is 8u161
    • https://github.com/openjdk/jdk8u/commit/8fd3dab3863ac9844961829792f2dbebf894ef8e

8u121 is the part of coordinated security release on January 17, 2017. 8u161 is the part of coordinated security release on January 16, 2018.

8199177: Enhance JNDI lookups

Pushed: Jun 8, 2018

One commit: - https://github.com/openjdk/jdk/commit/309ace52859d889f8c0f27adeb161c646d9b4a51

Introduces: - com.sun.jndi.ldap.object.trustURLCodebase = false

Releases:

• JDK 17: Inherits it from mainline (note changeset hash is the same), so all JDK 17 are handled:

  • https://github.com/openjdk/jdk17u/commit/309ace52859d889f8c0f27adeb161c646d9b4a51

• JDK 15: Inherits it from mainline (note changeset hash is the same), so all JDK 13 are handled:

  • https://github.com/openjdk/jdk15u/commit/309ace52859d889f8c0f27adeb161c646d9b4a51

• JDK 13: Inherits it from mainline (note changeset hash is the same), so all JDK 13 are handled:

  • https://github.com/openjdk/jdk13u/commit/309ace52859d889f8c0f27adeb161c646d9b4a51

• JDK 11: First tag is jdk-11.0.1+1, so first fixed build is 11.0.1:

  • https://github.com/openjdk/jdk11u/commit/cafbdc617440a0605cb739477d268c485efb374d

• JDK 8: First tag is jdk8u191-b02, so first fixed build is 8u191:

  • https://github.com/openjdk/jdk8u/commit/8ce634ec09b797717b7d3b2e9bf46185824be7b3

Both JDK 11.0.1 and 8u191 are the part of the coordinated security release on October 16, 2018.