QOS.CH Logback-Core Arbitrary Code Execution Vulnerability

A vulnerability allowing arbitrary code execution has been identified in QOS.CH Logback-Core versions through 1.5.18. This issue arises in Java applications that use the Janino library and the Spring Framework. The vulnerability is rooted in the conditional processing of Logback configuration files, which can be exploited by manipulating a configuration file or injecting a malicious environment variable. An attacker must have write access to a Logback configuration file or the ability to inject an environment variable before the program runs.

Impact

Exploitation of this vulnerability allows for arbitrary code execution within the affected application.

Reproduction

To reproduce this vulnerability, a user must have QOS.CH Logback-Core version 1.5.18 or earlier in their Java application, along with the Janino library and Spring Framework. The vulnerability can be triggered by either compromising an existing Logback configuration file or injecting a malicious environment variable that points to a harmful configuration file. In both scenarios, the attacker must have the necessary privileges to write to the configuration file or inject the environment variable.

Remediation

Users are advised to upgrade to Logback version 1.5.19 or later, where this vulnerability has been fixed.