oss-sec mailing list archives

Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 15 Dec 2021 06:39:13 -0500

Hi Ron,

It was found that the fix to address CVE-2021-44228 in
Apache Log4j 2.15.0 was incomplete in certain non-default
configurations. This could allows [DoS]...


Is there any information on the non-default configuration that triggers the DoS?

What I am trying to understand is, if we clear the first CVE through,
say, envar LOG4J_FORMAT_MSG_NO_LOOKUPS=true or
-Dlog4j2.formatMsgNoLookups=true, then where does the vulnerability
lie for the second CVE? What configuration change needs to be done to
reduce risk on the second CVE after the first CVE has been mitigated?

The reason I ask is, we don't have the option of updating to v2.16 (or
v2.15) on some machines and programs, so we are trying to reduce and
manage the risk.

Jeff

On Tue, Dec 14, 2021 at 12:10 PM Ron Grabowski <rgrabowski () apache org> wrote:


Severity: moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Description:

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default 
configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging 
configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a 
Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in 
a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that 
previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` 
do NOT mitigate this specific vulnerability.

Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by 
default.

This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: 
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

References:

https://logging.apache.org/log4j/2.x/security.html
https://www.cve.org/CVERecord?id=CVE-2021-44228

Current thread:

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack Ron Grabowski (Dec 14)
- Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack Jeffrey Walton (Dec 15)
  - Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack Moritz Bechler (Dec 15)
    - Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack Moritz Bechler (Dec 18)