oss-sec mailing list archives
CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
From: Matt Sicker <mattsicker () apache org>
Date: Sat, 18 Dec 2021 18:02:02 -0600
Severity: high Description: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. This issue is being tracked as LOG4J2-3230 Mitigation: Implement one of the following mitigation techniques: * Java 8 (or later) users should upgrade to release 2.17.0. Alternatively, this can be mitigated in configuration: * In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC). * Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate from sources external to the application such as HTTP headers or user input. Credit: Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro’s Zero Day Initiative, and another anonymous vulnerability researcher References: https://logging.apache.org/log4j/2.x/security.html -- Matt Sicker PMC Member, Logging Services, Apache Software Foundation
Current thread:
- CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation Matt Sicker (Dec 18)