Hi Marian,
This CVE was analyzed within the context of the the reload4j project. It was deemed as not a serious or practical threat as its attack surface as it pertains to log4j 1.x is vanishingly small [1]. The reload4j project is a fork of Apache log4j version 1.2.17 with the goal of fixing pressing security issues. Reload4j is a binary compatible, drop-in replacement for log4j version 1.2.17. By drop-in, we mean that you can replace log4j.jar with reload4j.jar in your build with no source code changes, no recompilation, nor rebuild being necessary. Best regards, [1] https://github.com/qos-ch/reload4j/issues/63 On 4/21/2023 2:52 PM, Marián Konček wrote: > Would it be possible to provide more details of concerned classes which > cause the DDOS or give an example how to reproduce this? > > On 2023/03/10 13:37:22 Arnout Engelen wrote: >> Severity: low >> >> Description: >> >> ** UNSUPPORTED WHEN ASSIGNED ** >> >> When using the Chainsaw or SocketAppender components with Log4j 1.x on > JRE less than 1.7, an attacker that manages to cause a logging entry > involving a specially-crafted (ie, deeply nested) >> hashmap or hashtable (depending on which logging component is in use) > to be processed could exhaust the available memory in the virtual > machine and achieve Denial of Service when the object is deserialized. >> >> This issue affects Apache Log4j before 2. Affected users are > recommended to update to Log4j 2.x. >> >> NOTE: This vulnerability only affects products that are no longer > supported by the maintainer. >> >> Credit: >> >> Garrett Tucker of Red Hat (reporter) >> >> References: >> >> https://logging.apache.org/ >> https://www.cve.org/CVERecord?id=CVE-2023-26464 >> >> > -- Ceki Gülcü Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch
