Package: apache-log4j1.2 / 1.2.17-10

CVE-2019-17571.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
From: Markus Koschany <apo@debian.org>
Date: Sat, 11 Jan 2020 23:01:09 +0100
Subject: CVE-2019-17571

Bug-Debian: https://bugs.debian.org/947124
Origin: https://src.fedoraproject.org/rpms/log4j12/c/d4c817c458d69dcc629a7271999d178b0dcb7c74?branch=master
---
 .../apache/log4j/FilteredObjectInputStream.java    | 65 ++++++++++++++++++++++
 src/main/java/org/apache/log4j/net/SocketNode.java | 17 +++++-
 2 files changed, 80 insertions(+), 2 deletions(-)
 create mode 100644 src/main/java/org/apache/log4j/FilteredObjectInputStream.java

diff --git a/src/main/java/org/apache/log4j/FilteredObjectInputStream.java b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java
new file mode 100644
index 0000000..b9ef20c
--- /dev/null
+++ b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache license, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the license for the specific language governing permissions and
+ * limitations under the license.
+ */
+package org.apache.log4j;
+
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+
+/**
+ * Extended ObjectInputStream that only allows certain classes to be deserialized.
+ *
+ * Backported from 2.8.2
+ */
+public class FilteredObjectInputStream extends ObjectInputStream {
+
+    private static final List REQUIRED_JAVA_CLASSES = Arrays.asList(new String[] {
+        // Types of non-trainsient fields of LoggingEvent
+        "java.lang.String",
+        "java.util.Hashtable",
+        // ThrowableInformation
+        "[Ljava.lang.String;"
+    });
+
+    private final Collection allowedClasses;
+
+    public FilteredObjectInputStream(final InputStream in, final Collection allowedClasses) throws IOException {
+        super(in);
+        this.allowedClasses = allowedClasses;
+    }
+
+    protected Class resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+        String name = desc.getName();
+        if (!(isAllowedByDefault(name) || allowedClasses.contains(name))) {
+            throw new InvalidObjectException("Class is not allowed for deserialization: " + name);
+        }
+        return super.resolveClass(desc);
+    }
+
+    private static boolean isAllowedByDefault(final String name) {
+        return name.startsWith("org.apache.log4j.") ||
+            name.startsWith("[Lorg.apache.log4j.") ||
+            REQUIRED_JAVA_CLASSES.contains(name);
+    }
+
+}
diff --git a/src/main/java/org/apache/log4j/net/SocketNode.java b/src/main/java/org/apache/log4j/net/SocketNode.java
index e977f13..f95bb10 100644
--- a/src/main/java/org/apache/log4j/net/SocketNode.java
+++ b/src/main/java/org/apache/log4j/net/SocketNode.java
@@ -22,6 +22,10 @@ import java.io.IOException;
 import java.io.InterruptedIOException;
 import java.io.ObjectInputStream;
 import java.net.Socket;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import org.apache.log4j.FilteredObjectInputStream;
 
 import org.apache.log4j.Logger;
 import org.apache.log4j.spi.LoggerRepository;
@@ -53,8 +57,9 @@ public class SocketNode implements Runnable {
     this.socket = socket;
     this.hierarchy = hierarchy;
     try {
-      ois = new ObjectInputStream(
-                         new BufferedInputStream(socket.getInputStream()));
+      ois = new FilteredObjectInputStream(
+                         new BufferedInputStream(socket.getInputStream()),
+                         getAllowedClasses());
     } catch(InterruptedIOException e) {
       Thread.currentThread().interrupt();
       logger.error("Could not open ObjectInputStream to "+socket, e);
@@ -65,6 +70,14 @@ public class SocketNode implements Runnable {
     }
   }
 
+  private Collection getAllowedClasses() {
+      Collection allowedClasses = new ArrayList();
+      String property = System.getProperty("org.apache.log4j.net.allowedClasses");
+      if (property != null)
+          allowedClasses.addAll(Arrays.asList(property.split(",")));
+      return allowedClasses;
+  }
+
   //public
   //void finalize() {
   //System.err.println("-------------------------Finalize called");