0

I believe I saw it mentioned in one of the security advisories about CVE-2021-44228 that reducing the logging level to ERROR or below can mitigate the vulnerability to some degree. I can't seem to find the same advisory again, possibly that piece of information has been removed since.

I found this explanation of CVE-2021-44228 that claims about exploitable log entries that The server logs this at the INFO level.

Would reducing the logging level to ERROR or below mitigate the vulnerability somewhat?

My understanding is that the attacker would need to trigger a logger.error() to inject a command, which is still possible, but less likely than with INFO level.

Primoz
  • 626
  • 1
  • 9
  • 16
  • 1
    Possibly; but can you really guarantee that neither your code, nor the code of your dependencies is logging user input at ERROR, possibly also using SLF4J when you use the corresponding logging bridge to Log4j 2. If you can edit the log config anyways (to change the level), can you not use the `{nolookups}` options specified on the security notes page? Also note that lowering the log level might not protect against the newly discovered [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046) (though seems to require legitimate usage of lookups in your log config to be exploitable). – Marcono1234 Dec 16 '21 at 00:46
  • @Marcono1234 I'm looking at this from the app admin perspective, not as a developer. As such, changing the log level is trivial. A key point about changing the log level is that it doesn't require restarting the app. As there might be situations where an immediate patching and app restart is not possible in production. – Primoz Dec 17 '21 at 11:59

0 Answers0