Uploaded image for project: 'Log4j 2'
  1. Log4j 2
  2. LOG4J2-3221

JNDI lookups in layout (not message patterns) enabled in Log4j2 < 2.16.0

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.16.0, 2.12.2, 2.3.1
    • None
    • None

    Description

      The mitigation advice for CVE-2021-4428 suggests that for Log4j > 2.10.0 and < 2.15.0, the vulnerability can be avoided by setting -Dlog4j2.formatMsgNoLookups=true or upgrading to 2.15.0. However, many users may not be aware that even in this case, lookups used in layouts to provide specific pieces of context information will still recursively resolve, possibly triggering JNDI lookups. In order to avoid attacker-controlled JNDI lookups, users must also either:

      • Ensure that no such lookups resolve to attacker-provided data
      • Ensure that the the JndiLookup class is not loaded
      • Upgrade to log4j2 2.16.0 (untested)

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. LOG4J2-3245 log4j-core-2.0-beta9.jar CVE-2021-44228 vulnerability

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              semiotics Lucy Menon
              Votes:
              1 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: