CVE-2021-45105: Apache Log4j2 Denial of Service Vulnerability Alert

by do son ·

Apache Log4j version 2.0-alpha1 to 2.16.0 has a new vulnerability CVE-2021-45105, this vulnerability has a score of 7.5 and has been fixed in the just-released Log4j 2.17.0 (Java 8).

Vulnerability Detail

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

Affected version

  • All versions from 2.0-beta9 to 2.16.0

Unaffected version

  • Apache Log4j2 2.17.0

Solution

We recommend users should upgrade to release 2.17.0.

Mitigation measures
  • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
  • Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

Tags: CVE-2021-45105