[ https://issues.apache.org/jira/browse/LOG4J2-3230 ]
Peter Malone deleted comment on LOG4J2-3230:
--------------------------------------
was (Author: JIRAUSER282309):
I briefly tested versions 2.3, 2.4, 2.5, 2.6 and 2.7, and they do not appear
vulnerable to this infinite loop issue.
2.8 and up are vulnerable. Looks like this was introduced in 2.8.
In release 2.8 I see
./src/main/java/org/apache/logging/log4j/core/lookup/StrSubstitutor.java:
private boolean enableSubstitutionInVariables = true;
In release 2.7 it is not hardcoded to true and defaults to false.
> Certain strings can cause infinite recursion
> --------------------------------------------
>
> Key: LOG4J2-3230
> URL: https://issues.apache.org/jira/browse/LOG4J2-3230
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1,
> 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1,
> 2.15.0, 2.16.0
> Reporter: Ross Cohen
> Assignee: Carter Kozak
> Priority: Major
> Fix For: 2.17.0
>
> Attachments: sample.tar.gz
>
>
> If a string substitution is attempted for any reason on the following string,
> it will trigger an infinite recursion, and the application will crash:
> ${${::\-${::\-$${::\-j}}}}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
