[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462592#comment-17462592
]
Wojtek commented on LOG4J2-3230:
--------------------------------
[~rpopma] I only copied code from original issue [^sample.tar.gz]
Please run it. Even
{code:java}
logger.info("Malicious log attempt B ${${::-${::-$${::-j}}}}");{code}
returns exception and process crash.
Alternative mitigation described in
[https://logging.apache.org/log4j/2.x/security.html|https://logging.apache.org/log4j/2.x/security.html)]
is based on logging configuration. Even when you fix your application
cofiguration attacker can still inject $\{${::{-}$\{::{-}$${::-j}}}} into
message from outside. Change $ to $$ does not affect on injected values because
the attacker still can injects $\{.
I'm talking about a situation where the user does not update library, but only
consists by alternative solution
> Certain strings can cause infinite recursion
> --------------------------------------------
>
> Key: LOG4J2-3230
> URL: https://issues.apache.org/jira/browse/LOG4J2-3230
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1,
> 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1,
> 2.15.0, 2.16.0
> Reporter: Ross Cohen
> Assignee: Carter Kozak
> Priority: Major
> Fix For: 2.17.0
>
> Attachments: sample.tar.gz
>
>
> If a string substitution is attempted for any reason on the following string,
> it will trigger an infinite recursion, and the application will crash:
> ${${::\-${::\-$${::\-j}}}}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
