[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup P
From: Moritz Bechler <mbechler () eenterphace ! org>
Date: 2021-12-18 10:30:16
Message-ID: 11aa374e-5dcf-71a3-9a56-aa1ea764cb12 () eenterphace ! org
[Download RAW message or body]
Hi,
> For =2.15 this is mostly mitigated by the fact protocol and target host
> to which lookups are possible are also restricted to localhost by
> default. There still seems to be a way to hang/crash the process, thou.
>
Updating that for completeness: a bypass of that hostname restriction
was found by Alvaro Munoz, exploiting different URI interpretations by
the standard Uri class and JNDI.
Therefore 2.15 can be vulnerable again for RCE, if a layout
with attacker-controlled input outside the message is used or the
expression lookup has been re-enabled.
This also requires resolving a DNS name like 127.0.0.1#x.y.z or
localhost#x.y.z, which some resolvers and likely recursors will directly
reject.
Moritz
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic