New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds information about Thread Context Map Property Substitutions that might still be vulnerable even with formatMsgNoLookups=true #298
Conversation
Adds information about Thread Context Map Property Substitutions that might still be vulnerable even with formatMsgNoLookups=true
Got at least one confirmation apache/logging-log4j2#608 (comment) |
Note in particular that the thread context lookups seem to also be affected under 2.15.0. AFAIK the 2.10.x mitigation mechanism and 2.15.0 fixes to disable message lookups are very similar, so the same issue with context lookups affects both. I believe the JNDI restrictions in 2.15.0 / disabling in 2.15.1 will still stop the (known) RCE and DNS infoleaks, but the context lookups seem to get expanded recursively. |
I can also confirm this problem exists (I also found it yesterday - just found this PR) and affects the formatMsgNoLookups=true case and 2.15.0. My example is here. I have reported on the log4j JIRA as well as LOG4J2-3221. |
Howdy y'all, I'm just waking up and looking at this. Give me a bit to dig through this and verify what's going on before I push this out. Thanks for the context! |
Wow so that would mean that 2.15.0 is also vulnerable? Yeah. Wow. I'll start making the changes to the blog, this affects a lot of stuff. |
@factoidforrest the impact to 2.15.0 is limited because it can only connect to whitelisted IPs (localhost), in addition to the exploit criteria being more specific. The main concern, imo, is applications using < 2.15.0 that have applied the noLookup flag as a mitigation. 2.16.0 disables JNDI by default and removes the message lookup feature. |
Yeah, assuming you've already updated to 2.15.0 then CVE-2021-45046 isn't as impactful as CVE-2021-44228. I think the main cause for concern is the |
Yeah, we just reproduced the RCE and DOS on 2.14 and 2.15 respectively. New blog post about this in the works |
Please add notes that |
Adds information about Thread Context Map Property Substitutions that might still be vulnerable even with formatMsgNoLookups=true
Please verify before just merging I could just create a minimal example and minimal checks if 2.14.1 is really still vulnerable when using ctx. Great to hear if someone could confirm this.
I'm not sure about the other property substitutions and in general how popular these are, at elast for some commercial products ctx seems to be used.