[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462831#comment-17462831
]
Carter Kozak commented on LOG4J2-3230:
--------------------------------------
There is no way to flip substitutionInVariablesEnabled in configuration, nor do
I believe it is a sufficient mitigation. That and backcompat are why I opted to
implement recursion controls instead of reliance on that flag in the 2.17.0 fix.
I have backported the change to 2.12 (java 7) and 2.3 (java 6) and we are
working on releases. Please try to bear with us, it has been an exceedingly
long week.
The best mitigation for versions prior to 2.14.1 is to avoid lookups for
components which can contain user-provided data AND avoid PatternLayout which
attempts to replace lookups in the formatted message contents.
> Certain strings can cause infinite recursion
> --------------------------------------------
>
> Key: LOG4J2-3230
> URL: https://issues.apache.org/jira/browse/LOG4J2-3230
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1,
> 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1,
> 2.15.0, 2.16.0
> Reporter: Ross Cohen
> Assignee: Carter Kozak
> Priority: Major
> Fix For: 2.17.0
>
> Attachments: sample.tar.gz
>
>
> If a string substitution is attempted for any reason on the following string,
> it will trigger an infinite recursion, and the application will crash:
> ${${::\-${::\-$${::\-j}}}}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
