You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@logging.apache.org by Leon Finker <le...@gmail.com> on 2021/12/20 14:10:22 UTC

CVE-2021-45105 and using ctx for router appender

Hi,

Could someone please confirm if using ctx in the Routing appender is
not affected by the latest CVE-2021-45105?

Example,
<Routing name="Routing">
     <Routes pattern="$${ctx:ROUTINGKEY}">

I wouldn't think so. Just want to double check.

Thank you very much!

Re: CVE-2021-45105 and using ctx for router appender

Posted by Leon Finker <le...@gmail.com>.
Thank you Ralph! Yes we never drive ${cx:Key} from any input. It's
either hardcoded or comes from controlled configuration.

On Mon, Dec 20, 2021 at 9:10 AM Leon Finker <le...@gmail.com> wrote:
>
> Hi,
>
> Could someone please confirm if using ctx in the Routing appender is
> not affected by the latest CVE-2021-45105?
>
> Example,
> <Routing name="Routing">
>      <Routes pattern="$${ctx:ROUTINGKEY}">
>
> I wouldn't think so. Just want to double check.
>
> Thank you very much!

Re: CVE-2021-45105 and using ctx for router appender

Posted by Ralph Goers <ra...@dslextreme.com>.
Using ${cx:Key} should not be used in releases below 2.16.0 in a routing key - or anything else 
that operates during log event processing - IF the key contains data that originates externally.

So if your key contains data from an HTTP header and you copy that data into a ThreadContext 
variable using that as a routing key could expose your application to bad behavior. In Log4j 2.17.0 
we have prevented lookups used while processing log events from recursing but even then if you
have a user sending you bogus stuff your routing key may create a route for each unique key, 
depending on how you configured your routes.

If you must use HTTP headers in this way you should “sanitize” then in a Servlet Filter before 
they hit your application, only allowing headers that match the “rules” for whatever the data is. 

Ralph

> On Dec 20, 2021, at 7:10 AM, Leon Finker <le...@gmail.com> wrote:
> 
> Hi,
> 
> Could someone please confirm if using ctx in the Routing appender is
> not affected by the latest CVE-2021-45105?
> 
> Example,
> <Routing name="Routing">
>     <Routes pattern="$${ctx:ROUTINGKEY}">
> 
> I wouldn't think so. Just want to double check.
> 
> Thank you very much!
>