[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in look
From: Matt Sicker <mattsicker () apache ! org>
Date: 2021-12-19 0:02:02
Message-ID: CACmp6kqFOo0+SsDk-xEuBTvwz6zDRSEpsKobu=dcjVza=TN1pA () mail ! gmail ! com
[Download RAW message or body]
Severity: high
Description:
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3)
did not protect from uncontrolled recursion from self-referential
lookups. This allows an attacker with control over Thread Context Map
data to cause a denial of service when a crafted string is
interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
This issue is being tracked as LOG4J2-3230
Mitigation:
Implement one of the following mitigation techniques:
* Java 8 (or later) users should upgrade to release 2.17.0.
Alternatively, this can be mitigated in configuration:
* In PatternLayout in the logging configuration, replace Context
Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context
Map patterns (%X, %mdc, or %MDC).
* Otherwise, in the configuration, remove references to Context
Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they
originate
from sources external to the application such as HTTP headers or user input.
Credit:
Independently discovered by Hideki Okamoto of Akamai Technologies, Guy
Lederfein of Trend Micro Research working with Trend Micro's Zero Day
Initiative, and another anonymous vulnerability researcher
References:
https://logging.apache.org/log4j/2.x/security.html
--
Matt Sicker
PMC Member, Logging Services, Apache Software Foundation
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic