1

LOG4J2-3230

 2 years ago
source link: https://issues.apache.org/jira/browse/LOG4J2-3230
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client
[LOG4J2-3230] Certain strings can cause infinite recursion

I've improved on our Log4j string substitutor class but in the Apache Commons Text component. It would be interesting to know if this string is a problem there as well, AFK ATM.

Hi BossColo 

You set the affect versions to "2.0, 2.0.1, 2.0.2, 2.1, 2.2, 2.3, 2.4, 2.4.1, 2.5, 2.6, 2.6.1, 2.6.2, 2.7, 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1, 2.15.0, 2.16.0"

Are you saying you've actually tested all of these versions?

ggregory My sincerest apologies. Like most security engineers, I'm extremely short on time these days... I assumed, and I did the thing.

In the effort of being a good citizen, I went back and did actually test all the versions, and refined the list of affected versions. It also affects 2.12.2, but that's not selectable yet.

added a comment - 2 days ago - edited

Created a sample project that I believe reproduces this behavior.

(Results of testing in 2.8, 2.11.1, 2.14.0, and 2.16.0 on Java=openjdk 11.0.12 2021-07-20)

In 2.16.0:

  • if the suspect string is put in the PatternLayout, then that specific patternLayout will crash when loaded and replace itself with a PatternLayout that just logs what is handed to it with no formatting
  • logging the suspect string seems to have no affect, and it is passed untransformed to both System.Out or the file I specified as expected.

in 2.14.0, 2.11.1 and 2.8

  • The PatternLayout behaves the same as 2.16.0
  • logging the suspect string generates an exception in each Appender. The stack trace of each exception is dumped to Standard.Out, and the intended log message is lost.
  • Basic program flow does not seem to be affected. Log statements NOT including the suspect string are logged normally both before and after the suspect string generates the exceptions.

Example Code Used:

Error seen in console: (not logged)

2021-12-16 15:07:39,406 main ERROR Could not create plugin of type class org.apache.logging.log4j.core.layout.PatternLayout for element PatternLayout: java.lang.IllegalStateException: Infinite loop in property interpolation of ::-${::-$${::-j}}: : java.lang.IllegalStateException: Infinite loop in property interpolation of ::-${::-$${::-j}}: :
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.checkCyclicSubstitution(StrSubstitutor.java:1081)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1029)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1042)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:912)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:978)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:912)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:978)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:912)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:467)
    at org.apache.logging.log4j.core.config.plugins.visitors.PluginBuilderAttributeVisitor.visit(PluginBuilderAttributeVisitor.java:48)
    at org.apache.logging.log4j.core.config.plugins.util.PluginBuilder.injectFields(PluginBuilder.java:185)
    at org.apache.logging.log4j.core.config.plugins.util.PluginBuilder.build(PluginBuilder.java:121)
    at org.apache.logging.log4j.core.config.AbstractConfiguration.createPluginObject(AbstractConfiguration.java:1107)
    at org.apache.logging.log4j.core.config.AbstractConfiguration.createConfiguration(AbstractConfiguration.java:1032)
    at org.apache.logging.log4j.core.config.AbstractConfiguration.createConfiguration(AbstractConfiguration.java:1024)
    at org.apache.logging.log4j.core.config.AbstractConfiguration.createConfiguration(AbstractConfiguration.java:1024)
    at org.apache.logging.log4j.core.config.AbstractConfiguration.doConfigure(AbstractConfiguration.java:643)
    at org.apache.logging.log4j.core.config.AbstractConfiguration.initialize(AbstractConfiguration.java:243)
    at org.apache.logging.log4j.core.config.AbstractConfiguration.start(AbstractConfiguration.java:289)
    at org.apache.logging.log4j.core.LoggerContext.setConfiguration(LoggerContext.java:626)
    at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:699)
    at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:716)
    at org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:270)
    at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:155)
    at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:47)
    at org.apache.logging.log4j.LogManager.getContext(LogManager.java:196)
    at org.apache.logging.log4j.LogManager.getLogger(LogManager.java:599)
    at net.jondotcomdotorg.TestDOS.<clinit>(TestDOS.java:7)


2021-12-16 15:50:49,924 main ERROR An exception occurred processing Appender Application java.lang.IllegalStateException: Infinite loop in property interpolation of ::-${::-$${::-j}}: :
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.checkCyclicSubstitution(StrSubstitutor.java:1031)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:978)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:991)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:878)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:945)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:878)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:945)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:878)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:433)
    at org.apache.logging.log4j.core.pattern.MessagePatternConverter.format(MessagePatternConverter.java:132)
    at org.apache.logging.log4j.core.pattern.PatternFormatter.format(PatternFormatter.java:38)
    at org.apache.logging.log4j.core.layout.PatternLayout$PatternSerializer.toSerializable(PatternLayout.java:334)
    at org.apache.logging.log4j.core.layout.PatternLayout.toText(PatternLayout.java:233)
    at org.apache.logging.log4j.core.layout.PatternLayout.encode(PatternLayout.java:218)
    at org.apache.logging.log4j.core.layout.PatternLayout.encode(PatternLayout.java:58)
    at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.directEncodeEvent(AbstractOutputStreamAppender.java:177)
    at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.tryAppend(AbstractOutputStreamAppender.java:170)
    at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.append(AbstractOutputStreamAppender.java:161)
    at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:156)
    at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:129)
    at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:120)
    at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:84)
    at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:464)
    at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:448)
    at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:431)
    at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:406)
    at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:63)
    at org.apache.logging.log4j.core.Logger.logMessage(Logger.java:146)
    at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2170)
    at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2125)
    at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2108)
    at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:2002)
    at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1974)
    at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1311)
    at net.jondotcomdotorg.TestDOS.doAThing(TestDOS.java:21)
    at net.jondotcomdotorg.TestDOS.main(TestDOS.java:28)

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK