Apache Log4j StrSubstitutor Vulnerability

December 31, 2021

Overview:

  Apache Log4j is a logging library for Java. Log4j is a simple and flexible logging framework. With Log4j it is possible to enable logging at runtime without modifying the application binary. Apache Log4j is part of a project which is known as Apache Logging. The Log4j package is designed so that the logging statements can remain in shipped code without incurring a heavy performance cost. Logging behaviour can be controlled by editing a configuration file, without touching the application binary.

  An uncontrolled recursion vulnerability has been reported in the StrSubstitutor class of Apache Log4j. This vulnerability is due to improper handling of logged messages when the logging configuration uses a non-default Pattern Layout with a Context Map Lookup, Map Lookup, or Structured Data Lookup.

  A remote attacker who can control an item in the Thread Context Map or a MapMessage or StructuredDataMessage can exploit this vulnerability by sending a specially crafted parameter to the target application. Successful exploitation could result in a denial-of-service condition due to a crash of the Log4j service.

  Vendor: Logging Apache

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-45105

  See: CVE-ID

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  NVD CVSS Metrics

Technical Overview:

  An uncontrolled recursion vulnerability has been reported in the StrSubstitutor class of Apache Log4j. This vulnerability is due to improper handling of logged messages when the logging configuration uses a non-default Pattern Layout with a Context Map Lookup, Map Lookup, or Structured Data Lookup. When a variable is included in a lookup string, it is resolved by calling the substitute() method of the class org.apache.logging.log4j.core.lookup.StrSubstitutor.

  Once the marker for the end of a variable is found, the substitute() method is called recursively with the variable to be substituted. The method checkCyclicSubstitution() is called with each variable substitution, to detect infinite substitution loops. This method maintains a list of previously encountered variables in a variable named priorVariables. After the variable is resolved using the resolveVariable() method, the substitute() function is called recursively with the resolved content, to resolve any variables included in the result. However, when a variable is detected in the resolved content, substitute() is called recursively without supplying the priorVariables variable. Therefore, if a variable resolves to a nested lookup containing the same variable, it won’t be detected by the checkCyclicSubstitution() method, resulting in uncontrolled recursion.

  A remote attacker who can control an item in the Thread Context Map or a MapMessage or StructuredDataMessage can exploit this vulnerability by setting the item to an appropriate lookup containing a nested reference to itself. For example, if the attacker can control the value of the apiversion Thread Context Map item, they could set its value to the following string:

  

  Successful exploitation could result in a StackOverflowError due to uncontrolled recursion, leading to a denial of service condition due to a crash of the Log4j service.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • Target needs a non-default Pattern Layout with a Context Map Lookup, Map Lookup, or Structured Data Lookup.
  • Target must accept untrusted input within the Thread Context Map, MapMessage, or StructuredDataMessage.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

  The attacker sends a maliciously crafted parameter to the vulnerable server. The server adds the parameter to a Thread Context Map, MapMessage, or StructuredDataMessage and logs a message. The vulnerability is triggered when the server parses the lookup included in the parameter.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:15738 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 1

  • IPS:15739 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 2

  • IPS:15740 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 3

  • IPS:18663 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 4

  Please note that if your web service/server is accessible over HTTPS, then enabling of Server DPI-SSL is necessary for the above signature to detect exploits targeting this vulnerability.

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch.
    • Remove Context Map Lookups, Map Lookups, and Structured Data Lookups from the Apps Pattern Layout.
    • Detecting and blocking malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory