This is an automated email from the ASF dual-hosted git repository. ckozak pushed a commit to branch release-2.x in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 5fa35e116e00dfbf49e0b65492191fb189930842 Author: Remko Popma <[email protected]> AuthorDate: Sat Dec 18 09:11:48 2021 +0900 [DOC] fix typo: this is not a velocity template page --- src/site/markdown/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md index 9b04065..b047964 100644 --- a/src/site/markdown/security.md +++ b/src/site/markdown/security.md @@ -60,7 +60,7 @@ Apache Log4j2 does not always protect from infinite recursion in lookup evaluati ### Description Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. -When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, ``${dollar}${dollar}{ctx:loginId}``), +When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, ``$${ctx:loginId}``), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.
