[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17463019#comment-17463019
]
Ralph Goers commented on LOG4J2-3230:
-------------------------------------
We have 3 CVEs because there were several distinct problems going on:
# Bad people could enter data in an input screen or in an HTTP header with a
JNDI lookup pointing to an LDAP server and if that data was logged it would
cause an RCE. CVE-2021-44228
# If you have JNDI configured to point to an LDAP server to retrieve a password
stored as a Java String some malicious person could change that LDAP entry to
cause an RCE (and you wouldn't even know it happened). CVE-2021-44228
# If you copy HTTP header values into a ThreadContext variable and the value
contains ${jndi:ldap:badstuff...} and then use that variable as ${ctx:key} in a
logging configuration element evaluated for each log event (i.e.
RollingFileAppender filePattern, RoutingAppender Routes) then it would execute
the JNDI lookup and cause an RCE - CVE-2021-45046
# If you copy HTTP header values into a ThreadContext variable and the value
contains a recursive lookup and then use that variable as ${ctx:key} in a
logging configuration element evaluated for each log event then a
StackOverflowError could occur - CVE-2021-45105.
Getting rid of the JndiLookup class solves the worst of it - the RCEs. But
bullet point 2 can also happen with the JMS Appender or JNDI ContextSelector.
Although it is unlikely most JEE apps would use it them that way.
But removing JndiLookiup does not mitigate against item 4.
If you use 2.31., 2.12.3, or 2.17.0 none of the 4 items can happen. JNDI is
disabled by default and only supports the java protocol when enabled. Lookups
that take place during event processing are no longer allowed to recurse. This
may make some users unhappy but we saw no other obvious way to tolerate bad
data during event processing.
> Certain strings can cause infinite recursion
> --------------------------------------------
>
> Key: LOG4J2-3230
> URL: https://issues.apache.org/jira/browse/LOG4J2-3230
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1,
> 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1,
> 2.15.0, 2.16.0
> Reporter: Ross Cohen
> Assignee: Carter Kozak
> Priority: Major
> Fix For: 2.17.0
>
> Attachments: sample.tar.gz
>
>
> If a string substitution is attempted for any reason on the following string,
> it will trigger an infinite recursion, and the application will crash:
> ${${::\-${::\-$${::\-j}}}}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
