Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <11aa374e-5dcf-71a3-9a56-aa1ea764cb12@eenterphace.org>
Date: Sat, 18 Dec 2021 11:30:16 +0100
From: Moritz Bechler <mbechler@...terphace.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2021-45046: Apache Log4j2 Thread Context
 Message Pattern and Context Lookup Pattern vulnerable to a denial of service
 attack

Hi,


> For =2.15 this is mostly mitigated by the fact protocol and target host 
> to which lookups are possible are also restricted to localhost by 
> default. There still seems to be a way to hang/crash the process, thou.
> 

Updating that for completeness: a bypass of that hostname restriction 
was found by Alvaro Munoz, exploiting different URI interpretations by 
the standard Uri class and JNDI.
Therefore 2.15 can be vulnerable again for RCE, if a layout
with attacker-controlled input outside the message is used or the 
expression lookup has been re-enabled.

This also requires resolving a DNS name like 127.0.0.1#x.y.z or 
localhost#x.y.z, which some resolvers and likely recursors will directly 
reject.




Moritz





Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.