[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461376#comment-17461376
]
Mirko Friedenhagen commented on LOG4J2-3230:
--------------------------------------------
Sorry folks, I just downloaded the sample and played with versions:
* If I replace the SYSTEM_OUT pattern with the same as the one in
{{application.log}} *and* use log4j 2.15.0 or 2.16.0 I get
{noformat}
2021-12-17 12:20:42,265 INFO n.j.TestDOS [net.jondotcomdotorg.TestDOS.main()]
${ctx:loginId} Malicious log attempt A ${${::-${::-$${::-j}}}}
{noformat}
* When I use the original pattern layout for SYSTEM_OUT, I get the
{{java.lang.IllegalStateException}} even with 2.16.0.
But: why would someone define a pattern like {code}"%d{HH:mm:ss.SSS} [%t]
%-5level %logger{36} - %msg%n ${${::-${::-$${::-j}}}}"{code}? Where is the
usecase?
And besides: Do you fear a DOS attack then? I do not see the attack vector here
(except of maybe overwhelming the log system with noise *if* you choose a very
strange pattern). I am not trolling, but not very deep into attack analysis :-)
> Certain strings can cause infinite recursion
> --------------------------------------------
>
> Key: LOG4J2-3230
> URL: https://issues.apache.org/jira/browse/LOG4J2-3230
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1,
> 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1,
> 2.15.0, 2.16.0
> Reporter: Ross Cohen
> Assignee: Carter Kozak
> Priority: Major
> Fix For: 2.17.0
>
> Attachments: sample.tar.gz
>
>
> If a string substitution is attempted for any reason on the following string,
> it will trigger an infinite recursion, and the application will crash:
> ${${::\-${::\-$${::\-j}}}}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
