[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461613#comment-17461613
]
Jon Bristow commented on LOG4J2-3230:
-------------------------------------
[~mfriedenhagen] While my initial impressions lead me to agree with you, I'm
still unwilling to declare anything definitively regarding safety/non-safety.
(Such is the nature of things, eh?)
Please, if anyone can actually provide an explanation (or even better a minimal
example) that would make this a security risk? especially a DOS? I can see
this being potentially a log evasion kind of attack, but I am famously
un-creative when it comes to abuse cases, so I would love if someone could
explain why I'm wrong.
Things I may have missed:
* other kinds of appenders
* interactions with different Java versions. (I was able to get the same
results in "openjdk 11.0.12 2021-07-20", "OpenJDK Runtime Environment
Corretto-8.282.08.1", and "openjdk 17 2021-09-14")
* interactions with many long-running processes
* heap pollution
> Certain strings can cause infinite recursion
> --------------------------------------------
>
> Key: LOG4J2-3230
> URL: https://issues.apache.org/jira/browse/LOG4J2-3230
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1,
> 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1,
> 2.15.0, 2.16.0
> Reporter: Ross Cohen
> Assignee: Carter Kozak
> Priority: Major
> Fix For: 2.17.0
>
> Attachments: sample.tar.gz
>
>
> If a string substitution is attempted for any reason on the following string,
> it will trigger an infinite recursion, and the application will crash:
> ${${::\-${::\-$${::\-j}}}}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
