Adds information about Thread Context Map Property Substitutions that might still be vulnerable even with formatMsgNoLookups=true

[kmindi]

Adds information about Thread Context Map Property Substitutions that might still be vulnerable even with formatMsgNoLookups=true

Please verify before just merging I could just create a minimal example and minimal checks if 2.14.1 is really still vulnerable when using ctx. Great to hear if someone could confirm this.

I'm not sure about the other property substitutions and in general how popular these are, at elast for some commercial products ctx seems to be used.

[CLAassistant]

All committers have signed the CLA.

[kmindi]

Got at least one confirmation apache/logging-log4j2#608 (comment)

[SpComb]

Note in particular that the thread context lookups seem to also be affected under 2.15.0. AFAIK the 2.10.x mitigation mechanism and 2.15.0 fixes to disable message lookups are very similar, so the same issue with context lookups affects both.

I believe the JNDI restrictions in 2.15.0 / disabling in 2.15.1 will still stop the (known) RCE and DNS infoleaks, but the context lookups seem to get expanded recursively.

[pl-semiotics]

I can also confirm this problem exists (I also found it yesterday - just found this PR) and affects the formatMsgNoLookups=true case and 2.15.0. My example is here. I have reported on the log4j JIRA as well as LOG4J2-3221.

[freeqaz]

Howdy y'all, I'm just waking up and looking at this. Give me a bit to dig through this and verify what's going on before I push this out. Thanks for the context!

[SpComb]

Just in: https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f (CVE-2021-45046)

[factoidforrest]

Wow so that would mean that 2.15.0 is also vulnerable? Yeah. Wow. I'll start making the changes to the blog, this affects a lot of stuff.

[rgmz]

@factoidforrest the impact to 2.15.0 is limited because it can only connect to whitelisted IPs (localhost), in addition to the exploit criteria being more specific. The main concern, imo, is applications using < 2.15.0 that have applied the noLookup flag as a mitigation.

2.16.0 disables JNDI by default and removes the message lookup feature.

[SpComb]

Yeah, assuming you've already updated to 2.15.0 then CVE-2021-45046 isn't as impactful as CVE-2021-44228. I think the main cause for concern is the -Dlog4j2.formatMsgNoLookups=true mitigation bypass allowing JNDI-based RCE/infoleak on versions < 2.15.0 under certain non-default configurations. My wording on this, please correct me if I am wrong:

EDIT: moved to https://issues.apache.org/jira/browse/LOG4J2-3221?focusedCommentId=17459492&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17459492

[factoidforrest]

Yeah, we just reproduced the RCE and DOS on 2.14 and 2.15 respectively. New blog post about this in the works

[quaff]

Please add notes that %X{} %mdc{} %MDC{} are not affected, only ${ctx:} is affected.