ppkarwasz commented on code in PR #6:
URL: https://github.com/apache/logging-site/pull/6#discussion_r1932009167
##########
_vulnerabilities.adoc:
##########
@@ -106,8 +107,8 @@ Independently discovered by Hideki Okamoto of Akamai
Technologies, Guy Lederfein
|Summary |Thread Context Lookup is vulnerable to remote code execution in
certain configurations
|CVSS 3.x Score & Vector |9.0 CRITICAL
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
|Components affected |`log4j-core`
-|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)`
-|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0`
(for Java 8 and later)
+|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.16.0)`
Review Comment:
The way I see it:
- CVE-2021-44228 is about JNDI lookup injection through the `%m` pattern. It
was fixed in `2.15.0`.
- JNDI lookups could come from the recursive evaluation of `${ctx:…}` and
that is why we issued CVE-2021-45046 (and CVE-2021-45105), which were fixed in
`2.16.0`.
These numbers agree with those reported to the NVD and IMHO correcting the
order of evaluation of `%m` patterns and removing recursive evaluation of
`${…}` lookups cuts off all sources of user data that could be fed to the JNDI
lookup.
In case we forgot some call paths that lead to the JNDI lookup, version
`2.16.0`also prevents the instantiation of the lookup in `Interpolator` (its
only caller):
https://github.com/apache/logging-log4j2/blob/cffe58f6a433ea1ab60ceb129d4c9b3377acda1d/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L80-L82
Version `2.17.0`
(https://github.com/apache/logging-log4j2/commit/4a4b7530b1848e630a65d79e9c7dc388a5a7785b)
only seems to double down this (possibly unnecessary protection) and throws
exceptions from the constructor of the JNDI Lookup.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
