[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462814#comment-17462814
]
Mario Jauvin commented on LOG4J2-3230:
--------------------------------------
I read the complete ticket and I would kindly request a confirmation. People
that must still use java 6 were using a log4j 2.3 without the JndiLookup.class
as a mitigation for previous CVE-2021-44228 and CVE-2021-45046. In this
ticket, version 2.3 is not identified as being impacted although
[https://nvd.nist.gov/vuln/detail/CVE-2021-45105] is implying it is. I tested
[~jbristow] sample test program on version 2.3 and 2.3 without a
JndiLookup.class and I do not see the "java.lang.IllegalStateException:
Infinite loop in property interpolation" error in the log. I do not know if
this is because as Jon suggested, his program does not test all cases. I would
like to know from the log4j 2 experts if the log4j 2.3 without a
JndiLookup.class is a mitigation for this vulnerability.
Thanks
> Certain strings can cause infinite recursion
> --------------------------------------------
>
> Key: LOG4J2-3230
> URL: https://issues.apache.org/jira/browse/LOG4J2-3230
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1,
> 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1,
> 2.15.0, 2.16.0
> Reporter: Ross Cohen
> Assignee: Carter Kozak
> Priority: Major
> Fix For: 2.17.0
>
> Attachments: sample.tar.gz
>
>
> If a string substitution is attempted for any reason on the following string,
> it will trigger an infinite recursion, and the application will crash:
> ${${::\-${::\-$${::\-j}}}}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
