http://qs321.pair.com?node_id=11139869

bliako has asked for the wisdom of the Perl Monks concerning the following question:

Log4Shell doesn't *look* like it affects Perl's Log::Log4perl according to Mark Gardner. But it is unclear to me still whether Log::Log4perl makes calls to the Java API of log4j (dangerous, at least until log4j is code-reviewed properly and superfluous and lethal enhancements are removed) or implements/emulates most of them (obviously not the remote code execution via JNDI) in pure Perl (not dangerous for JNDI injections). The author says: ... Log::Log4perl is different. It is a pure Perl port of the widely popular Apache/Jakarta log4j library [3] for Java. I do take their word but I am unable to say anything from just reading the source code. I can't understand it. Can anyone shed some light?

So, bottomline is: Log4Shell doesn't *look* like it affects Perl's Log::Log4perl but can anyone explain why?

bw, bliako

p.s. Tangentially: I always thought superfluous enhancements is bad for open source software, starting from gcc's verbal diarrhea, to colour output to most linux commands, to getting unicode (e.g. left-right quotes, ellipses) from the output of linux commands (and even systemd, possibly kernel messages, linux startup messages are full of them). Anyway, this p.s. is for spending my rant-stash for 2021.

Replies are listed 'Best First'.
Re: Log4Shell and Log::Log4perl
by Corion (Patriarch) on Dec 24, 2021 at 10:58 UTC

    I don't know what you're getting at exactly, but I'm going to make some guesses:

    Log::Log4perl works without Java installed, so if it has vulnerabilities, these are not caused by any Java dependency.

    The main vulnerability in Log4j is the (v2) loading of code via JNDI. Log::Log4perl does implement the version 1 API of Log4j.

    If you don't understand the source code, you will have to trust somebody who says that there is no vulnerability.

[reply]
      I don't know what you're getting at exactly...

      I wanted an explanation as to why it is not vulnerable. What you said is a fine explanation: i.e., 1) it implements v1 API of Log4j (and not v2) and 2) it is pure Perl and does not call Log4j's java jars. Fine, thanks.

[reply]
Re: Log4Shell and Log::Log4perl
by Perlbotics (Archbishop) on Dec 24, 2021 at 18:51 UTC

    Although Java is not directly involved, I think it's noteworthy that Log::Log4perl offers code execution while reading configuration files. This might be an entry point for an attacker, although not as serious as Log4Shell since it requires access to the Log4perl configuration files while Log4Shell requires just lazy or no input validation. 

    #!/usr/bin/env perl

use strict;
use warnings;
use Log::Log4perl;


sub some_quote  { qq{I solemnly swear that I am up to no good.\n} };

#-- this would be the content of a manipulated log4perl configuration 
+file
my $conf = q(
        #-- this could be the content of a configuration file ...
        log4perl.category.Foo.Bar          = INFO, Screen

        log4perl.appender.Screen         = Log::Log4perl::Appender::Sc
+reen
        log4perl.appender.Screen.stderr  = 0
        log4perl.appender.Screen.layout  =  \
                 sub { \
                       print some_quote(); system("date"); \
                       return "Log::Log4perl::Layout::SimpleLayout"; \
                     }
      );

## Log::Log4perl::Config->allow_code(0); #-- would have disabled code 
+execution

Log::Log4perl::init( \$conf );

my $logger = Log::Log4perl::get_logger('Foo::Bar');

$logger->info("Mischief managed.");

    [download]

    Output: 

    Output:

I solemnly swear that I am up to no good.
Fri Dec 24 19:33:09 CET 2021
INFO - Mischief managed.

    [download]

    This feature can be disabled (see FAQ) using: 

    Log::Log4perl::Config->allow_code(0);

    [download]

[reply]
[d/l]
[select]
      If you can modify the config, you can modify the rest of the application. This doesn't seem like a meaningful point in discussing possible security flaws in any library?
[reply]

        As noted in the docs it's possible to disable this behavior with: 

        Log::Log4perl::Config->allow_code(0);

        [download]

        The cake is a lie.
        The cake is a lie.
        The cake is a lie.

[reply]
[d/l]

        If you can modify the config, you can modify the rest of the application.
        True in Perl, Python, Javascript etc., not necessary in Java, C++, etc. - or at least harder. It boils down to proper access permissions and running the application always with least privileges.

        The core of Log4Shell is the unexpected or little known behaviour of the library to contact remote services. Usually, I would expect from a configuration file to hold static read only data, not fractions of code that could be executed - and that's also unexpected or little known Log::Log4perl behaviour.

[reply]
Re: Log4Shell and Log::Log4perl
by perlfan (Vicar) on Dec 27, 2021 at 22:07 UTC
    The only thing I know of that uses perl and Java in an unholy alliance is MatLab, though there could be others.
[reply]
[d/l]

Back to Seekers of Perl Wisdom