[ https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461598#comment-17461598 ]
Mirko Friedenhagen commented on LOG4J2-3230: -------------------------------------------- Many thanks for the clarification, [~jbristow]. After rereading what you wrote I just repeated your experiment. So I assume that 2.16 is somehow safe in that regards unless you are using strange patterns, right? We just updated a bunch of applications to 2.16.0 last week because of the log4j2-shell attack and this does not look as if we should work through the weekend to update :-). > Certain strings can cause infinite recursion > -------------------------------------------- > > Key: LOG4J2-3230 > URL: https://issues.apache.org/jira/browse/LOG4J2-3230 > Project: Log4j 2 > Issue Type: Bug > Components: Core > Affects Versions: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1, > 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1, > 2.15.0, 2.16.0 > Reporter: Ross Cohen > Assignee: Carter Kozak > Priority: Major > Fix For: 2.17.0 > > Attachments: sample.tar.gz > > > If a string substitution is attempted for any reason on the following string, > it will trigger an infinite recursion, and the application will crash: > ${${::\-${::\-$${::\-j}}}}. -- This message was sent by Atlassian Jira (v8.20.1#820001)