The Apache Software Foundation (ASF) has revealed a third bug in its Log4 Java-based open-source logging library Log4j.
CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2.17.0 of Log4j.
That’s the third new version of the tool in the last ten days.
In case you haven’t been paying attention, version 2.15.0 was created to fix CVE-2021-44228, the critical-rated and trivial-to-exploit remote code execution flaw present in many versions up to 2.14.0.
- CISA issues emergency directive to fix Log4j vulnerability
- Over Log4j? VMware has another critical flaw for you to patch
- As CISA tells US govt agencies to squash Log4j bug by Dec 24, fingers start pointing at China, Iran, others
But version 2.15.0 didn’t address another issue – CVE-2021-45046 – which allowed a remote attacker with control over Thread Context Map (MDC) to cook up malicious input using a JNDI Lookup pattern. The result could be remote code execution, thankfully not in all environments.
Version 2.16.0 fixed that problem.
But it didn’t fix CVE-2021-45105, which the ASF describes as follows:
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup
(for example, $${ctx:loginId}), attackers with control over Thread Context Map input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.Vendor-agnostic bug bounty program the Zero Day Initiative has described the flaw as follows.
When a nested variable is substituted by the
StrSubstitutorclass, it recursively calls thesubstitute()class. However, when the nested variable references the variable being replaced, the recursion is called with the same string. This leads to an infinite recursion and a DoS condition on the server.[…]
Source: Bad things come in threes: Apache reveals another Log4J bug • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft