Logback VS jdk8u

Java -> Logback, Log4j2, JDK (Java Util Logging), Slf4j, e.t.c.

This is a GitHub link to my demo app. It’s simple Spring Boot web app used to debugging various stuff. There are many ways to configure JSON logging in Spring Boot. I decided to use Logback because it is easy to configure and one of the most widely used logging library in the Java Community. To enable JSON logging we need to add below dependencies.

Logback(https://logback.qos.ch/) is another non-commercial Java logging framework. It labels itself as a successor to the previously discussed Log4j framework.

> Then apache decides to put new people on log4j, do a backward incompatible v2 design that nevertheless is worse than slf4j. Why?

slf4j itself isn't a logging framework. It's a facade to logging frameworks.

Simple Logging Facade for Java ( https://www.slf4j.org )

It needs a logging framework behind it - log4j, log4j2, logback, commons, JUL.

The question is "why do log4j2?"

Logback went from the log4j1.x path ( https://logback.qos.ch )

Log4j2 has a lot of features that weren't present when the project started ( https://en.wikipedia.org/wiki/Log4j#Apache_Log4j_2 ).

There is a licensing difference between Logback (LGPL) and Log4jx (Apache Commons).

Also, I'd like you to pay attention to the log consumer. You see, when the E2E scenario fails, it's not always obvious why. Sometimes to understand the source of the problem you have to dig into containers' logs. Thankfully the log consumer allows us to forward a container's logs to any SLF4J logger instance. In this project, containers' logs are forwarded to regular text files (you can find the Logback configuration in the repository). Though it's much better to transfer logs to external logging facility (e.g. Kibana).

This shows that the MariaDB JDBC driver uses Logback as a logging framework. Although Logback is not affected by Log4Shell, it has a related vulnerability (of much lesser severity, no need to panic) fixed in version 1.2.8 and 1.3.0-alpha11. I checked the version used by the connector and found that it used 1.3.0-alpha10. Even though Logback is included as a test dependency in the MariaDB driver, I sent a pull request on GitHub to update it. I encourage you to do the same in any open-source project you find and that includes a vulnerable dependency.

Dependencing on the project, changing the logger might range from easy peasy to a multi-week task. I'm ready to bet that in many (most?) cases, it'd actually be quite easy, so let's explore how to do it, using Logback as the target (there aren't that many alternatives actually).

behold logback doing a bunch of JNDI fixes: https://github.com/qos-ch/logback/commit/c43bd30e1092b89bb91f5fb6a28310956b3bac61

Would an atomic mutable subclass cache (not sure what it's used for, downcasting?) be unnecessary in a language built around static rather than dynamic dispatch by default, like C/C++/Rust and perhaps Go? Or would it still speed up dynamically dispatched code, but is less practical or worthwhile so it isn't used in practice? (Though Rust's Arc also suffers from atomic contention similar to this blog post, when used across dozens of threads: https://pkolaczk.github.io/server-slower-than-a-laptop/)

Also it's somewhat ironic that the JVM source code (https://github.com/openjdk/jdk8u/blob/jdk8u352-b07/hotspot/s...) says "This code is rarely used, so simplicity is a virtue here" at the site of a bottleneck.

Use the latest JDK (Developer's Kit) or JRE (Runtime Environment) for Java 8, compiled and distributed by AdoptOpenJDK from the official Read-Only source.

The majority of the work on 8u, 11u, 17u releases happens in OpenJDK upstream, in so called JDK Updates Projects, by engineers from the interested JDK vendors. You can get a peek who does this kind of work from the repository histories, for example the most recent 11.0.13 is done by engineers from Red Hat (including yours truly), SAP, Azul, Microsoft, BellSoft, Tencent, Amazon, Alibaba, IBM, ARM, Google.

> whatever it returned would just get inserted as a string into the log output, no big deal.

Once you can inject anything that gets resolved, you have an information disclosure vulnerability unrelated to the RCE.

If I can just DNS resolve any ${env} variable from the JVM, a lot of systems are compromised by just exposing the env or system variables configured for runtime.

Just getting your $AWS_ACCESS_KEY_ID and $AWS_SECRET_ACCESS_KEY env vars can compromise your bucket (sure, that is a really unsafe setup now, but it was almost the standard a few years ago over configuring it explicitly).

So a logging system which will merely resolve a hostname derived from a variable was bad enough to compromise many systems.

The serialization loophole was fixed in a jdk8 update.

https://github.com/openjdk/jdk8u/commit/006e84fc77a582552e71...

But even with that in place, the information disclosure of java System or env properties is bad enough to break actual systems in prod.

> Turns out, by including "." in some part of the URL to this remote class, Log4j lets off its guard & simply looks up to that server and dynamically loads the class file.

No it doesn't. That was disabled by default in 2009, and was disabled by default in every release of Java 8 or later: https://github.com/openjdk/jdk8u/commit/006e84fc77a582552e71...

Unless i am mistaken, i don't believe the attack as described by LunaSec actually works against a default-configured JVM released any time in the last decade.