Using ${cx:Key} should not be used in releases below 2.16.0 in a routing key -
or anything else
that operates during log event processing - IF the key contains data that
originates externally.
So if your key contains data from an HTTP header and you copy that data into a
ThreadContext
variable using that as a routing key could expose your application to bad
behavior. In Log4j 2.17.0
we have prevented lookups used while processing log events from recursing but
even then if you
have a user sending you bogus stuff your routing key may create a route for
each unique key,
depending on how you configured your routes.
If you must use HTTP headers in this way you should “sanitize” then in a
Servlet Filter before
they hit your application, only allowing headers that match the “rules” for
whatever the data is.
Ralph
> On Dec 20, 2021, at 7:10 AM, Leon Finker <[email protected]> wrote:
>
> Hi,
>
> Could someone please confirm if using ctx in the Routing appender is
> not affected by the latest CVE-2021-45105?
>
> Example,
> <Routing name="Routing">
> <Routes pattern="$${ctx:ROUTINGKEY}">
>
> I wouldn't think so. Just want to double check.
>
> Thank you very much!
>
