[
https://issues.apache.org/jira/browse/LOG4J2-3371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17484040#comment-17484040
]
4ra1n commented on LOG4J2-3371:
-------------------------------
Thank you for your reply. Layouts using JsonTemplateLayout and GelfLayout do
not have problems. However, the actual project does not necessarily use the
above two layouts.
For example, when configuring log4j2, many programmers will use some layout
configurations commonly used on the Internet. I tested some articles and blogs
and found that there is an injection problem. Or in some simple projects, the
default layout is directly used without configuration.
As a widely used standard library, dealing with any possible situation may be a
better solution, such as dealing with log injection in the default layout or
filtering some of its input
> Log Injection Vulnerability exists in Log4j2 default configuration
> ------------------------------------------------------------------
>
> Key: LOG4J2-3371
> URL: https://issues.apache.org/jira/browse/LOG4J2-3371
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.17.1
> Reporter: 4ra1n
> Assignee: Ralph Goers
> Priority: Major
>
> For information about log injection, refer to OWASP:
> [https://owasp.org/www-community/attacks/Log_Injection]
>
> Some time ago, the spring framework revealed two CVE vulnerabilities related
> to log injection: CVE-2021-22096 and CVE-2021-22060:
> [https://tanzu.vmware.com/security/cve-2021-22096]
> [https://tanzu.vmware.com/security/cve-2021-22060]
> Their fix is to filter the log content, such as not allowing line seprators
>
> Some time ago, I found a log injection vulnerability in Apache Shiro.
> Although the vulnerability is effective and can be triggered, they think I
> should report the problem to Apahce Log4j and prevent such log injection
> vulnerability under the default configuration
>
> code(under the default configuration)
> {code:java}
> public static void main(String[] args) {
> Logger logger = LogManager.getLogger(Main.class);
> logger.info("test\n00:00:00.000 [main] ERROR com.text.Class -
> xxx\nxxx");
> } {code}
>
> output(under the default configuration)
> {code:java}
> 09:47:34.190 [main] INFO com.example.Main - test
> 00:00:00.000 [main] ERROR com.text.Class - xxx
> xxx {code}
> On the exploitation of vulnerabilities: for example, add some confused logs,
> such as forged IP, forged classes, forged error reports and exceptions, which
> brings trouble to the operation and maintenance personnel and auditors.
> Further, if there is an internal log analysis platform, and the xxx is
> wrapped by the script tag, that is, JavaScript code, the platform reading the
> log may have XSS vulnerabilities.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
