QOS.CH Logback Deserialization Vulnerability in Socket Servers Allowing Object Injection

A vulnerability in QOS.CH Logback's logback-core module, specifically in the HardenedObjectInputStream, allows for object injection through deserialization of untrusted data. An attacker can exploit this by influencing serialized data sent to either SimpleSocketServer or SimpleSSLSocketServer. While the HardenedObjectInputStream is designed to restrict deserialization, this vulnerability bypasses those security measures, allowing the instantiation of certain objects from the java.lang and java.util packages that are not explicitly blocked. Although this issue does not currently lead to remote code execution or significant privilege escalation, it still represents a notable security risk. This vulnerability affects Logback versions through 1.5.32 inclusive.

Impact

Exploitation of this vulnerability could lead to unauthorized object injection, potentially allowing attackers to manipulate application behavior or bypass security controls.

Reproduction

The vulnerability can be reproduced by sending crafted serialized data to a Logback application's SimpleSocketServer or SimpleSSLSocketServer. This can be done by using a client that connects to the server and transmits the serialized objects. The deserialization process will then occur on the server side, where the injected objects can be processed by the application, depending on the specific classes and their methods that are exploited.

Remediation

Users are advised to upgrade to Logback version 1.5.33 or later, where this vulnerability has been addressed.