Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAH8yC8=R7+DwZ19C0c3D_r=BL2Bde7rVQd11RcLKGSkdn0EVqw@mail.gmail.com>
Date: Wed, 15 Dec 2021 06:39:13 -0500
From: Jeffrey Walton <noloader@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2021-45046: Apache Log4j2 Thread Context
 Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

Hi Ron,

> It was found that the fix to address CVE-2021-44228 in
> Apache Log4j 2.15.0 was incomplete in certain non-default
> configurations. This could allows [DoS]...

Is there any information on the non-default configuration that triggers the DoS?

What I am trying to understand is, if we clear the first CVE through,
say, envar LOG4J_FORMAT_MSG_NO_LOOKUPS=true or
-Dlog4j2.formatMsgNoLookups=true, then where does the vulnerability
lie for the second CVE? What configuration change needs to be done to
reduce risk on the second CVE after the first CVE has been mitigated?

The reason I ask is, we don't have the option of updating to v2.16 (or
v2.15) on some machines and programs, so we are trying to reduce and
manage the risk.

Jeff

On Tue, Dec 14, 2021 at 12:10 PM Ron Grabowski <rgrabowski@...che.org> wrote:
>
> Severity: moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
>
> Description:
>
> It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability.
>
> Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
>
> This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
>
> References:
>
> https://logging.apache.org/log4j/2.x/security.html
> https://www.cve.org/CVERecord?id=CVE-2021-44228

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.