[jira] [Commented] (LOG4J2-3371) Log Injection Vulnerability exists in Log4j2 default configuration

Thu, 10 Feb 2022 22:28:06 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-3371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490694#comment-17490694
 ] 

Ralph Goers commented on LOG4J2-3371:
-------------------------------------

[~ggregory] We certainly could escape all control characters. That is exactly 
what Json Template Layout does. However, that would require an enhancement to 
the enc pattern converter.

[~4ra1n] Although as a group we haven't discussed it I suspect we would not 
change the default behavior of the PatternLayout. That would be very disruptive 
to users. 

> Log Injection Vulnerability exists in Log4j2 default configuration
> ------------------------------------------------------------------
>
>                 Key: LOG4J2-3371
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3371
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.17.1
>            Reporter: 4ra1n
>            Assignee: Ralph Goers
>            Priority: Major
>
> For information about log injection, refer to OWASP:
> [https://owasp.org/www-community/attacks/Log_Injection]
>  
> Some time ago, the spring framework revealed two CVE vulnerabilities related 
> to log injection: CVE-2021-22096 and CVE-2021-22060:
> [https://tanzu.vmware.com/security/cve-2021-22096]
> [https://tanzu.vmware.com/security/cve-2021-22060]
> Their fix is to filter the log content, such as not allowing line seprators
>  
> Some time ago, I found a log injection vulnerability in other Apache project, 
> which use log4j2. Although the vulnerability is effective and can be 
> triggered, they think I should report the problem to Apahce Log4j and prevent 
> such log injection vulnerability under the default configuration
>  
> code(under the default configuration)
> {code:java}
> public static void main(String[] args) {
>    Logger logger = LogManager.getLogger(Main.class);
>    logger.info("test\n00:00:00.000 [main] ERROR com.text.Class -
> xxx\nxxx");
> } {code}
>  
> output(under the default configuration)
> {code:java}
> 09:47:34.190 [main] INFO com.example.Main - test
> 00:00:00.000 [main] ERROR com.text.Class - xxx
> xxx {code}
> On the exploitation of vulnerabilities: for example, add some confused logs, 
> such as forged IP, forged classes, forged error reports and exceptions, which 
> brings trouble to the operation and maintenance personnel and auditors. 
> Further, if there is an internal log analysis platform, and the xxx is 
> wrapped by the script tag, that is, JavaScript code, the platform reading the 
> log may have XSS vulnerabilities.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to