oss-sec mailing list archives
Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 15 Dec 2021 06:39:13 -0500
Hi Ron,
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows [DoS]...
Is there any information on the non-default configuration that triggers the DoS? What I am trying to understand is, if we clear the first CVE through, say, envar LOG4J_FORMAT_MSG_NO_LOOKUPS=true or -Dlog4j2.formatMsgNoLookups=true, then where does the vulnerability lie for the second CVE? What configuration change needs to be done to reduce risk on the second CVE after the first CVE has been mitigated? The reason I ask is, we don't have the option of updating to v2.16 (or v2.15) on some machines and programs, so we are trying to reduce and manage the risk. Jeff On Tue, Dec 14, 2021 at 12:10 PM Ron Grabowski <rgrabowski () apache org> wrote:
Severity: moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Description: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). References: https://logging.apache.org/log4j/2.x/security.html https://www.cve.org/CVERecord?id=CVE-2021-44228
Current thread:
- CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack Ron Grabowski (Dec 14)
- Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack Jeffrey Walton (Dec 15)