[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461685#comment-17461685
]
Bernd Eckenfels commented on LOG4J2-3230:
-----------------------------------------
Jon, I don’t think I understand the full extend, but here is what I see:
a) this cannot be triggered by malicious log messages on 2.16 or on anything
2.10+ with the noLookup flag defined (however removing JndiLookup.class does
not help)
b) if it can be triggered by (a) it allows log evasion and to some extend dos
(with high number of user controlled and logged exceptions, stack rewinds, cpu
peaks, latency and produced garbage and safepoints(?))
c) for the cases where user can’t control log messages a local admin (or
trusted tenant) can trigger it in log4j patterns or config.. that’s not nice
but there are many other possible damages an admin can make like 100-folding
log messages or not logging anything, so that’s not a very concerning threat
model (but of course should still be fixed)
d) what is not clear to me, if any particular patterns could re-introduce the
expansion of user messages with this pattern, and if so would it be a pattern
used in the wild or just a malicious admin idea?
> Certain strings can cause infinite recursion
> --------------------------------------------
>
> Key: LOG4J2-3230
> URL: https://issues.apache.org/jira/browse/LOG4J2-3230
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1,
> 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1,
> 2.15.0, 2.16.0
> Reporter: Ross Cohen
> Assignee: Carter Kozak
> Priority: Major
> Fix For: 2.17.0
>
> Attachments: sample.tar.gz
>
>
> If a string substitution is attempted for any reason on the following string,
> it will trigger an infinite recursion, and the application will crash:
> ${${::\-${::\-$${::\-j}}}}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
