[
https://issues.apache.org/jira/browse/LOG4J2-3279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464392#comment-17464392
]
sumeet sharma commented on LOG4J2-3279:
---------------------------------------
I've used the code sample provided in one of the comments by [~jbristow]
(thanks!). I modified the log4j2.xml for this repro a bit.
Also, there already seems to be a discussion going on for this in
https://issues.apache.org/jira/browse/LOG4J2-3230.
> Alternative mitigation documented for CVE-2021-45105 doesn't work for
> messages without context lookup if the Log4J2 consumers are not on version >=
> 2.15
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: LOG4J2-3279
> URL: https://issues.apache.org/jira/browse/LOG4J2-3279
> Project: Log4j 2
> Issue Type: Bug
> Components: Documentation
> Affects Versions: 2.14.0
> Reporter: sumeet sharma
> Priority: Major
>
> Alternative mitigation documented for CVE-2021-45105 doesn't work for
> messages without context lookup if the Log4J2 consumers are not on version >=
> 2.15.
> Official mitigation provided in
> [https://logging.apache.org/log4j/2.x/security.html] reads:
> h3.
> "[CVE-2021-45105|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105]:
> Apache Log4j2 does not always protect from infinite recursion in lookup
> evaluation
> h3. <trimmed for brevity>
> h3. Mitigation
> h4. Log4j 1.x mitigation
> Log4j 1.x is not impacted by this vulnerability.
> h4. Log4j 2.x mitigation
> Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java
> 8 and later).
> *Alternatively, this infinite recursion issue can be mitigated in
> configuration:*
> * *In PatternLayout in the logging configuration, replace Context Lookups
> like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X,
> %mdc, or %MDC).*
> * *Otherwise, in the configuration, remove references to Context Lookups
> like ${ctx:loginId} or $${ctx:loginId} where they originate from sources
> external to the application such as HTTP headers or user input."*
> The alternative mitigation statement seems to be making assumptions.
> The infinite recursion issue in the message part of the log seems to be fixed
> in version 2.15. Versions prior to that (I tried on 2.14.0), this issue is
> still applicable. **
> Assuming a user is on Log4J 2.14.0, if they follow this mitigation step by
> step, they will still be able to reproduce infinite recursion issue.
> pom.xml
> {code:java}
> <dependencies>
> <dependency>
> <groupId>org.apache.logging.log4j</groupId>
> <artifactId>log4j-api</artifactId>
> <version>2.14.0</version>
> </dependency>
> <dependency>
> <groupId>org.apache.logging.log4j</groupId>
> <artifactId>log4j-core</artifactId>
> <version>2.14.0</version>
> </dependency>
> </dependencies> {code}
> Code:
> {code:java}
> LOG.info("Problematic payload {}", "${${::${::$${::-j}}}}");
> LOG.info("Problematic payload ${${::${::$${::-j}}}}");{code}
>
> Log4j2.xml
> {code:java}
> <Console name="Console" target="SYSTEM_OUT">
> <PatternLayout pattern="%d{HH:mm:ss.SSS} [%t] %-5level
> %logger{36} - %m%n"/>
> </Console>{code}
>
> Output
> {code:java}
> 2021-12-23 14:40:49,031 main ERROR An exception occurred processing Appender
> Application java.lang.IllegalStateException: Infinite loop in property
> interpolation of ::-${::-$${::-j}}: : {code}
>
> If this stands true, then the documentation should mention the minimum
> required version for the alternative mitigation to work.
> I've only kept 2.14.0 as the affected version as I tested on same but this
> might be applicable to a quite a few versions.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
