Re: Log4Shell and Log::Log4perl

Although Java is not directly involved, I think it's noteworthy that Log::Log4perl offers code execution while reading configuration files. This might be an entry point for an attacker, although not as serious as Log4Shell since it requires access to the Log4perl configuration files while Log4Shell requires just lazy or no input validation.

#!/usr/bin/env perl

use strict;
use warnings;
use Log::Log4perl;


sub some_quote  { qq{I solemnly swear that I am up to no good.\n} };

#-- this would be the content of a manipulated log4perl configuration 
+file
my $conf = q(
        #-- this could be the content of a configuration file ...
        log4perl.category.Foo.Bar          = INFO, Screen

        log4perl.appender.Screen         = Log::Log4perl::Appender::Sc
+reen
        log4perl.appender.Screen.stderr  = 0
        log4perl.appender.Screen.layout  =  \
                 sub { \
                       print some_quote(); system("date"); \
                       return "Log::Log4perl::Layout::SimpleLayout"; \
                     }
      );

## Log::Log4perl::Config->allow_code(0); #-- would have disabled code 
+execution

Log::Log4perl::init( \$conf );

my $logger = Log::Log4perl::get_logger('Foo::Bar');

$logger->info("Mischief managed.");
[download]

Output:

Output:

I solemnly swear that I am up to no good.
Fri Dec 24 19:33:09 CET 2021
INFO - Mischief managed.
[download]

This feature can be disabled (see FAQ) using:

Log::Log4perl::Config->allow_code(0);
[download]

Comment on Re: Log4Shell and Log::Log4perl Select or Download Code

Replies are listed 'Best First'.
Re^2: Log4Shell and Log::Log4perl by etj (Priest) on Dec 24, 2021 at 19:23 UTC
If you can modify the config, you can modify the rest of the application. This doesn't seem like a meaningful point in discussing possible security flaws in any library?	[reply]
Re^3: Log4Shell and Log::Log4perl by Fletch (Bishop) on Dec 26, 2021 at 04:04 UTC
As noted in the docs it's possible to disable this behavior with: `Log::Log4perl::Config->allow_code(0);` [download] The cake is a lie. The cake is a lie. The cake is a lie.	[reply] [d/l]
Re^4: Log4Shell and Log::Log4perl by afoken (Chancellor) on Dec 28, 2021 at 13:54 UTC
As noted in the docs it's possible to disable this behavior with: `Log::Log4perl::Config->allow_code(0);` [download] So it's insecure by default. Not nice. And the same is true for the next documented feature, `Log::Log4perl::Config->allowed_code_ops(...)`. Quoting the documentation: By default, a value of '1' is assumed, which does a normal 'eval' without any restrictions. Insecure by default, you have to lock it down explicitly. Again, not nice. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply] [d/l] [select]
Re^3: Log4Shell and Log::Log4perl by Perlbotics (Archbishop) on Dec 25, 2021 at 11:00 UTC
If you can modify the config, you can modify the rest of the application. True in Perl, Python, Javascript etc., not necessary in Java, C++, etc. - or at least harder. It boils down to proper access permissions and running the application always with least privileges. The core of Log4Shell is the unexpected or little known behaviour of the library to contact remote services. Usually, I would expect from a configuration file to hold static read only data, not fractions of code that could be executed - and that's also unexpected or little known Log::Log4perl behaviour.	[reply]
Re^4: Log4Shell and Log::Log4perl by etj (Priest) on Dec 26, 2021 at 01:39 UTC
True in Perl Do we agree that Log::Log4perl is Perl, though? unexpected or little known Log::Log4perl behaviour This doesn't seem to acknowledge your previous point that it's true in Perl.	[reply]