CVE-2024-12798 in Logback-coreinfo

Summary

by MITRE • 12/19/2024

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto and including version 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.





Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension.



A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 01/13/2025

The CVE-2024-12798 vulnerability represents a critical security flaw in the logback-core library developed by QOS.CH, specifically affecting versions up to and including 1.5.12. This vulnerability resides within the JaninoEventEvaluator component, which serves as a powerful expression evaluator for logback configuration files. The flaw enables remote code execution when malicious configurations are loaded, making it particularly dangerous in environments where logback is used for application logging and monitoring. The vulnerability is classified under CWE-94, which represents "Improper Control of Generation of Code," a category that encompasses issues where untrusted data is executed as code without proper validation or sanitization. This weakness directly aligns with the ATT&CK technique T1059.007, "Command and Scripting Interpreter: Python," as the vulnerability allows for arbitrary code execution through configuration file manipulation, potentially enabling attackers to execute malicious commands within the application's runtime environment.

The technical implementation of this vulnerability leverages the JaninoEventEvaluator's ability to compile and execute Java expressions at runtime, a feature designed for legitimate use cases such as conditional logging based on complex expressions. However, this same capability becomes exploitable when malicious expressions are introduced into logback configuration files. Attackers can compromise existing logback configuration files or inject malicious environment variables that point to attacker-controlled configuration files before application execution. The attack vector requires either write access to a configuration file or the ability to inject environment variables, both of which typically require existing system privileges or access to a compromised account with sufficient permissions. The vulnerability's exploitation occurs during the application startup phase when logback processes the configuration file, making it particularly insidious as it can be triggered simply by running an application with a compromised configuration.

The operational impact of CVE-2024-12798 extends beyond simple code execution, as it provides attackers with potential access to sensitive application data, system resources, and network connectivity. In enterprise environments where logback is widely deployed for application monitoring, this vulnerability could enable attackers to escalate privileges, access databases, or establish persistent backdoors within the application infrastructure. The vulnerability's severity is amplified by its potential for automated exploitation, as attackers could craft malicious configuration files that automatically execute commands upon application startup, potentially leading to complete system compromise. Organizations using affected versions of logback-core may experience unauthorized access to application logs, data exfiltration, and potential disruption of critical business operations. The vulnerability also poses risks to supply chain security, as compromised configuration files could be distributed through legitimate software channels, affecting multiple organizations simultaneously.

Mitigation strategies for CVE-2024-12798 should focus on immediate version upgrades to logback-core 1.5.13 or later, which contain patches addressing the JaninoEventEvaluator vulnerability. Organizations should also implement strict access controls on logback configuration files, ensuring that only authorized personnel can modify these critical components. Environment variable injection should be carefully monitored and validated, with applications configured to reject suspicious or untrusted environment variables pointing to configuration files. The principle of least privilege should be enforced, preventing applications from running with elevated permissions when possible. Additionally, organizations should consider implementing configuration file integrity monitoring solutions that can detect unauthorized modifications to logback configuration files. Security teams should also review their application deployment processes to ensure that configuration files are properly validated before application startup, and consider implementing automated scanning tools that can detect potentially malicious expressions within configuration files. Regular security audits and penetration testing should be conducted to identify and remediate similar vulnerabilities across the application stack, as this type of vulnerability often indicates broader security gaps in application configuration management and privilege escalation controls.

Responsible

NCSC.ch

Reservation

12/19/2024

Disclosure

12/19/2024

Moderation

accepted

CPE

ready

EPSS

0.00404

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!