New subject: [Bug 2034067] CVE-2021-45105 log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern

19 Dec 2021


      https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Bug ID: 2034067
           Summary: CVE-2021-45105 log4j-core: DoS in log4j 2.x with
                    Thread Context Map (MDC) input data contains a
                    recursive lookup and context lookup pattern
           Product: Security Response
          Hardware: All
                OS: Linux
            Status: NEW
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team@redhat.com
          Reporter: jwon@redhat.com
                CC: aboyko@redhat.com, ahenning@redhat.com,
                    akoufoud@redhat.com, alazarot@redhat.com,
                    almorale@redhat.com, anstephe@redhat.com,
                    aos-bugs@redhat.com, asoldano@redhat.com,
                    atangrin@redhat.com, avibelli@redhat.com,
                    bbaranow@redhat.com, bdettelb@redhat.com,
                    bgeorges@redhat.com, bmaxwell@redhat.com,
                    bmontgom@redhat.com, brian.stansberry@redhat.com,
                    cdewolf@redhat.com, chazlett@redhat.com,
                    clement.escoffier@redhat.com, crarobin@redhat.com,
                    dandread@redhat.com, darran.lofthouse@redhat.com,
                    dbhole@redhat.com, devrim@gunduz.org,
                    dkreling@redhat.com, dosoudil@redhat.com,
                    eleandro@redhat.com, eparis@redhat.com,
                    etirelli@redhat.com, ewolinet@redhat.com,
                    fjuma@redhat.com, gsmet@redhat.com,
                    hamadhan@redhat.com, ibek@redhat.com,
                    iweiss@redhat.com,
                    java-sig-commits@lists.fedoraproject.org,
                    jburrell@redhat.com, jcantril@redhat.com,
                    jmadigan@redhat.com, jochrist@redhat.com,
                    jokerman@redhat.com, jpallich@redhat.com,
                    jperkins@redhat.com, jrokos@redhat.com,
                    jstastny@redhat.com, jwon@redhat.com,
                    kaycoth@redhat.com, krathod@redhat.com,
                    kverlaen@redhat.com, kwills@redhat.com,
                    lgao@redhat.com, lthon@redhat.com,
                    mizdebsk@redhat.com, mnovotny@redhat.com,
                    msochure@redhat.com, msvehla@redhat.com,
                    mszynkie@redhat.com, ngough@redhat.com,
                    nstielau@redhat.com, nwallace@redhat.com,
                    pamccart@redhat.com, paul.wouters@aiven.io,
                    peholase@redhat.com, pgallagh@redhat.com,
                    pjindal@redhat.com, pmackay@redhat.com,
                    probinso@redhat.com, pskopek@redhat.com,
                    rguimara@redhat.com, rrajasek@redhat.com,
                    rruss@redhat.com, rstancel@redhat.com,
                    rsvoboda@redhat.com, sbiarozk@redhat.com,
                    sd-operator-metering@redhat.com, sdouglas@redhat.com,
                    sguilhen@redhat.com, smaestri@redhat.com,
                    sponnaga@redhat.com, tflannag@redhat.com,
                    tom.jenkinson@redhat.com, tzimanyi@redhat.com,
                    vkumar@redhat.com, yborgess@redhat.com
            Blocks: 2030930
  Target Milestone: ---
    Classification: Other
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from
uncontrolled recursion from self-referential lookups. When the logging
configuration uses a non-default Pattern Layout with a Context Lookup (for
example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC)
input data can craft malicious input data that contains a recursive lookup,
resulting in a StackOverflowError that will terminate the process. This is also
known as a DOS (Denial of Service) attack.
This issue is being tracked as LOG4J2-3230
Mitigation:
Implement one of the following mitigation techniques:
* Java 8 (or later) users should upgrade to release 2.17.0.
Alternatively, this can be mitigated in configuration:
* In PatternLayout in the logging configuration, replace Context Lookups like
${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc,
or %MDC).
* Otherwise, in the configuration, remove references to Context Lookups like
${ctx:loginId} or $${ctx:loginId} where they originate from sources external to
the application such as HTTP headers or user input.
Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR file
are not impacted by this vulnerability.
Reference:
https://logging.apache.org/log4j/2.x/security.html
https://www.openwall.com/lists/oss-security/2021/12/19/1
https://issues.apache.org/jira/browse/LOG4J2-3230
-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2034067

[Bug 2034067] New: CVE-2021-45105 log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern