CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation

[Matt Sicker <ma...@apache.org>]

Severity: high

Description:

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from
uncontrolled recursion from self-referential lookups. This allows an
attacker with control over Thread Context Map data to cause a denial
of service when a crafted string is interpreted. This issue was fixed
in Log4j 2.17.0.

This issue is being tracked as LOG4J2-3230

Mitigation:

Implement one of the following mitigation techniques:

* Java 8 (or later) users should upgrade to release 2.17.0.

Alternatively, this can be mitigated in configuration:

* In PatternLayout in the logging configuration, replace Context
Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context
Map patterns (%X, %mdc, or %MDC).
* Otherwise, in the configuration, remove references to Context
Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they
originate
from sources external to the application such as HTTP headers or user input.

Credit:

Independently discovered by Hideki Okamoto of Akamai Technologies, Guy
Lederfein of Trend Micro Research working with Trend Micro’s Zero Day
Initiative, and another anonymous vulnerability researcher

References:

https://logging.apache.org/log4j/2.x/security.html


-- 
Matt Sicker
PMC Member, Logging Services, Apache Software Foundation