Merged in CVE-2021044228-patch-v2 (pull request #9)
67d4142·Author: Victoria Skalrud·Closed by: Victoria Skalrud·2021-12-15
Description
Vulnerability condition:
JMS Appender configured
javax.jms library made available in jvm (can be by plugin exporting classes or jar with impl on classpath)
Topic which is also configured contains jndi lookup to third party
In practice:
Attempting to replicate exploit locally with activemq/others was unsuccessful as InitialContextFactories tried tend to have their own validation about what string they consider resolving
Topic is configured via properties, but since it can be programatically set security team indicated we should limit this vector to be safe to prevent issues arising due to plugins.
Proposed Fix:
First commit: Reformat file
Second commit: CVE-2021-44228: Apply regular expression to ensure topic names don't potentially result in external jndi lookups
Vulnerability condition:
JMS Appender configured
javax.jms library made available in jvm (can be by plugin exporting classes or jar with impl on classpath)
Topic which is also configured contains jndi lookup to third party
In practice:
Attempting to replicate exploit locally with activemq/others was unsuccessful as InitialContextFactories tried tend to have their own validation about what string they consider resolving
Topic is configured via properties, but since it can be programatically set security team indicated we should limit this vector to be safe to prevent issues arising due to plugins.
Proposed Fix:
First commit: Reformat file
Second commit: CVE-2021-44228: Apply regular expression to ensure topic names don't potentially result in external jndi lookups
Â