[jira] [Commented] (LOG4J2-3230) Certain strings can cause infinite recursion

Mon, 20 Dec 2021 03:59:04 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462567#comment-17462567
 ] 

Wojtek commented on LOG4J2-3230:
--------------------------------

I'm afraid that official mitigiation (described in 
[https://logging.apache.org/log4j/2.x/security.html)] that says alternative 
solution based on original thread on oss-security mailing list 
(https://www.openwall.com/lists/oss-security/2021/12/19/1):

 
{noformat}
Alternatively, this can be mitigated in configuration:

In PatternLayout in the logging configuration, replace Context Lookups like 
${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, 
or %MDC). Otherwise, in the configuration, remove references to Context Lookups 
like ${ctx:loginId} or $${ctx:loginId} where they originate from sources 
external to the application such as HTTP headers or user input. {noformat}
is not enough. This approach only solves half the problem. There may still be a 
value injected into message to cause recursion from code point like in attached 
example:

 
{code:java}
    public int doAThing() {
        logger.info("Malicious log attempt A {}", "${${::-${::-$${::-j}}}}");
        final var temp = this.a + this.b;
        logger.info("Malicious log attempt B ${${::-${::-$${::-j}}}}");
        return temp;
    }{code}
 

So potential attacker can injected ${${::-${::-$${::-j}}}} into logs based on 
POST/GET method. 

Please confirm if I am right thinking ? 

 

 

> Certain strings can cause infinite recursion
> --------------------------------------------
>
>                 Key: LOG4J2-3230
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3230
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1, 
> 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1, 
> 2.15.0, 2.16.0
>            Reporter: Ross Cohen
>            Assignee: Carter Kozak
>            Priority: Major
>             Fix For: 2.17.0
>
>         Attachments: sample.tar.gz
>
>
> If a string substitution is attempted for any reason on the following string, 
> it will trigger an infinite recursion, and the application will crash: 
> ${${::\-${::\-$${::\-j}}}}.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to