Would it be possible to provide more details of concerned classes which
cause the DDOS or give an example how to reproduce this?
On 2023/03/10 13:37:22 Arnout Engelen wrote:
> Severity: low
>
> Description:
>
> ** UNSUPPORTED WHEN ASSIGNED **
>
> When using the Chainsaw or SocketAppender components with Log4j 1.x
on JRE less than 1.7, an attacker that manages to cause a logging entry
involving a specially-crafted (ie, deeply nested)
> hashmap or hashtable (depending on which logging component is in use)
to be processed could exhaust the available memory in the virtual
machine and achieve Denial of Service when the object is deserialized.
>
> This issue affects Apache Log4j before 2. Affected users are
recommended to update to Log4j 2.x.
>
> NOTE: This vulnerability only affects products that are no longer
supported by the maintainer.
>
> Credit:
>
> Garrett Tucker of Red Hat (reporter)
>
> References:
>
> https://logging.apache.org/
> https://www.cve.org/CVERecord?id=CVE-2023-26464
>
>
--
Marián Konček
