Menu
How can I dump on Java (IBM Java) the default values to check the default of the following?
"com.sun.jndi.rmi.object.trustURLCodebase"
"com.sun.jndi.cosnaming.object.trustURLCodebase"
Something like this, but for the above parameters:
java -XX:+PrintFlagsFinal -version
This is for a CVE-2021-44228 mitigation review.
Ideally this can be checked on cmd and not need to run test code.
Here is my attempt of test code which doesn't show (display Null):
import java.util.Properties;
class TiloDisplay
{
public static void main(String[] args)
{
Properties prop = System.getProperties();
printProperties(prop);
}
public static void printProperties(Properties prop) {
prop.stringPropertyNames().stream()
.map(key -> key + ": " + prop.getProperty(key))
.forEach(System.out::println);
System.out.println("CVE check part ========================================== " );
System.out.println("CVE check for:: com.sun.jndi.ldap.object.trustURLCodebase: " + prop.getProperty("com.sun.jndi.ldap.object.trustURLCodebase"));
System.out.println("CVE check for:: com.sun.jndi.rmi.object.trustURLCodebase: " + prop.getProperty("com.sun.jndi.rmi.object.trustURLCodebase"));
System.out.println("CVE check for:: com.sun.jndi.cosnaming.object.trustURLCodebase: " + prop.getProperty("com.sun.jndi.cosnaming.object.trustURLCodebase"));
System.out.println("Cross Check: " + prop.getProperty("java.version"));
}
}
Compile and run:
javac DisplayApp.java -source 1.8 -target 1.8
java TiloDisplay
974
An application restart will be required for these changes to take effect. The vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046 and referred to as “Log4Shell,” affects Java-based applications that use Log4j 2 versions 2.0 through 2.15.0.
IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix.
The CVE-2021-44228 mitigation from Apache referenced below has been updated to reflect the latest guidance on Apache’s advisory page. The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated. The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.
Most likely you are running log4j1 which is not vulnerable, however you will be vulnerable to CVE-2021-4104. Q9. If I set log4j2.formatMsgNoLookups to true will it affect my application use of log4j2? A9. Note: Later information from the log4j team describes this mitigation as "insufficient".
CVE-2021-44228 creates a large attack surface depending on the imagination of the attacker and an RCE is just one of them.
I would strongly advise you to avoid having a false conclusion by relying on a JVM feature targeting a certain attack vector; there are more vectors. Simply either bump log4j-core to 2.15.0 or set the log4j2.formatMsgNoLookups=true system property.
78
Answering the letter of the question:
It does not appear that the system properties in question have any value by default. If they did, you could check with:
java -XshowSettings:properties -version
Note that -X flags are non-standard, though IBM Java supports this one (checked Semeru 11).
As for the context:
The implementations (in OpenJDK at least) query for the property values, defaulting to false if the properties are unset, e.g.,
// System property to control whether classes may be loaded from an
// arbitrary URL code base
String trust = getPrivilegedProperty(
"com.sun.jndi.ldap.object.trustURLCodebase", "false");
trustURLCodebase = "true".equalsIgnoreCase(trust);
So neither -XshowSettings nor the programmatic check in the question are helpful to know for certain what behavior your JVM defaults to for these features, or if the JVM version you're running uses these properties at all if you set them explicitly.
I agree with Volkan's point, but I also would like to verify that these (dangerous) JNDI features are disabled regardless of the Log4j exploit. Unfortunately though we need another way to do that, ideally an implementation-independent one.
42
The upgrade to Log4j 2.15.x is not enough. There is another exploit (see Second Log4j vulnerability discovered, patch already released) and a new version Log4j 2.16 has been published already, disabling the default JNDI settings (Download Apache Log4j 2) and upgrade to 2.16 version is more important now.
But there are many Log4j clones, custom code using the same Log4j classes and that is why it's important to check the JVM settings, especially for previous JDK versions as prior to 6u211, 7u201 and 8u191 and disable JNDI + RMI settings. More about it was presented at Black Hat in 2016. See A journey from JNDI/LDAP manipulation to remote code execution dream land.
2
The command
jps -lvm
will output your running Java processes with their parameters.
See also this answer to Getting the parameters of a running JVM.
1
I would assume that turning these feature off will prevent remote code execution (RCE) using JNDI, not just the one using Log4j 2:
log4j2.formatMsgNoLookups -> set to true
"com.sun.jndi.rmi.object.trustURLCodebase" -> set to false
"com.sun.jndi.cosnaming.object.trustURLCodebase" -> set to false
Upgrade Log4J2 to 2.17.1 and upgrade Java to higher than Java 8u121.
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
