[jira] [Comment Edited] (LOG4J2-3221) JNDI lookups in layout (not message patterns) enabled in Log4j2 < 2.16.0

Tue, 14 Dec 2021 09:24:06 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-3221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459326#comment-17459326
 ] 

Tero Marttila edited comment on LOG4J2-3221 at 12/14/21, 5:23 PM:
------------------------------------------------------------------

Based on some further testing, this only seems to affect configurations with 
pattern layouts using the {{{}$\{ctx:...{}}}} lookup syntax, and not the (more 
common?) {{{}%X{...{}}}} MDC pattern converter syntax.

 

EDIT: this contradicts the findings in CVE-2021-45046 
[https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f] which state 
that configurations using %X patterns are affected. Please ignore my findings 
in deference to the findings in the CVE.

 

As such, waiting for someone from log4j to confirm/analyze this before 
panicking too much :)


was (Author: JIRAUSER281852):
Based on some further testing, this only seems to affect configurations with 
pattern layouts using the {{{}$\{ctx:...{}}}} lookup syntax, and not the (more 
common?) {{{}%X{...{}}}} MDC pattern converter syntax.

 

As such, waiting for someone from log4j to confirm/analyze this before 
panicking too much :)

> JNDI lookups in layout (not message patterns) enabled in Log4j2 < 2.16.0
> ------------------------------------------------------------------------
>
>                 Key: LOG4J2-3221
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3221
>             Project: Log4j 2
>          Issue Type: Bug
>            Reporter: Lucy Menon
>            Priority: Major
>             Fix For: 2.16.0
>
>
> The mitigation advice for CVE-2021-4428 suggests that for Log4j > 2.10.0 and 
> < 2.15.0, the vulnerability can be avoided by setting 
> -{{{}Dlog4j2.formatMsgNoLookups=true{}}} or upgrading to 2.15.0. However, 
> many users may not be aware that even in this case, lookups used in layouts 
> to provide specific pieces of context information will still recursively 
> resolve, possibly triggering JNDI lookups. In order to avoid 
> attacker-controlled JNDI lookups, users must also either:
>  * Ensure that no such lookups resolve to attacker-provided data
>  * Ensure that the the JndiLookup class is not loaded
>  * Upgrade to log4j2 2.16.0 (untested)



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to