Tuesday, December 21, 2021

Infinite Recursion in Log4j 2.16

Ross Cohen (via Hacker News):

If a string substitution is attempted for any reason on the following string, it will trigger an infinite recursion, and the application will crash: ${${::-${::-$${::-j}}}}.

This is fixed in Log4j 2.17.


So, let me get this: Log4j is disabling JNDI, fixing various string substitution issues and who knows what else, but the root cause of the whole mess - that Log4j attempts string substitution on the actual parameter values remains untouched?

That is weird, but presumably changing it would break a lot of stuff. However, this article makes it seem like simply injecting into one of the parameters is not sufficient to trigger the infinite recursion, depending on how the logger was configured.

The scary thing is that I doubt that Log4j is unusually buggy. It’s just that more people are scrutinizing it now and finding these latent problems.


Comments RSS · Twitter

Leave a Comment