[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup P
From:       Moritz Bechler <mbechler () eenterphace ! org>
Date:       2021-12-18 10:30:16
Message-ID: 11aa374e-5dcf-71a3-9a56-aa1ea764cb12 () eenterphace ! org
[Download RAW message or body]

Hi,


> For =2.15 this is mostly mitigated by the fact protocol and target host 
> to which lookups are possible are also restricted to localhost by 
> default. There still seems to be a way to hang/crash the process, thou.
> 

Updating that for completeness: a bypass of that hostname restriction 
was found by Alvaro Munoz, exploiting different URI interpretations by 
the standard Uri class and JNDI.
Therefore 2.15 can be vulnerable again for RCE, if a layout
with attacker-controlled input outside the message is used or the 
expression lookup has been re-enabled.

This also requires resolving a DNS name like 127.0.0.1#x.y.z or 
localhost#x.y.z, which some resolvers and likely recursors will directly 
reject.




Moritz





[prev in list] [next in list] [prev in thread] [next in thread]