Akamai Reports Another DoS in Log4j2 (CVE-2021-45105): What You Need to Know
The series of vulnerabilities recently discovered in Log4j2 has shocked the internet. As part of our continuing research, on December 17, Hideki Okamoto from Akamai found and responsibly reported an additional denial-ofservice (DoS) vulnerability, which was assigned as CVE-2021-45105.
How we discovered CVE-2021-45105
We were analyzing CVE-2021-45046, the second in this series of vulnerabilities. When Log4j2 properties include a custom layout using Context Lookup (${ctx:FOOBAR}) or Thread Context Map pattern (%X, %mdc, or %MDC) and the application passes user inputs to the thread context, crafted payloads can lead to uncontrolled recursion. This was later discovered to be a remote code execution (RCE) vulnerability but was initially reported to cause DoS.
As we were trying to determine what payloads cause DoS, we found a payload published by a third-party security team. The payload did indeed throw an exception, but it was “java.lang.IllegalStateException: Infinite loop in IllegalStateException: Infinite loop in property interpolation,” which is a recoverable exception. While we are not sure if this is indeed the payload of CVE-2021-45046, we have noticed that a “safeguard” in the Log4j2 code threw this exception.
StrSubstitutor.java
private void checkCyclicSubstitution(final String varName, final List<String> priorVariables) {
if (!priorVariables.contains(varName)) {
return;
}
final StringBuilder buf = new StringBuilder(BUF_SIZE);
buf.append("Infinite loop in property interpolation of ");
buf.append(priorVariables.remove(0));
buf.append(": ");
appendWithSeparators(buf, priorVariables, "->");
throw new IllegalStateException(buf.toString());
}
This means that the developers of Log4j2 were aware that circular references could occur in the Lookup process. We believe they were hoping that application developers would catch this exception since they named the function checkCyclicSubstitution(). This function examines the Array List that stores the history of values. We thought that there might be a way to bypass the circular reference check. Finally, we were able to find such a payload and raise a java.lang.StackOverflowError on certain versions of JVM. We also noticed that this attack occurs in Log4j 2.16, where CVE-2021-45046 has been fixed.
The issue was reported to the Log4j2 security team, which assigned the CVE-2021-45105 and quickly fixed it in Log4j 2.17.
The attack vector
We found that in case applications pass user inputs to the thread context, double valuation of the logged context data could result in a server crash:
User-Agent: ${${ctx:ua}}
Some reports on Twitter and GitHub have pointed out other attack vectors that are not directly related to this vulnerability, as at the most some of them might result in recoverable exceptions, rather than a server crash. Such variants are:
${ctx:loginId}$${ctx:loginId}${${::-${::-$${::-j}}}}
Mitigating CVE-2021-45105
Kona Site Defender customers with all rule sets are already protected against this vulnerability with the current KRS/ASE Rule 3000014 and AAG Attack Group “Command Injection.”
We are also continuing our research and will publish updates as more information is available.
