DOS vulnerability in log4j < 2.16.0 

Issue date: 15-12-2021
Affects versions: 14.7, 14.6, 13.4, 12.6

Security Issue ID

SECURITY-284

 

Affected Product Version(s)

14.7.1, 13.4.12, 12.6.20 and previous releases.

Severity 

medium

 

Description

https://nvd.nist.gov/vuln/detail/CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

brXM versions 12.6.22, 13.4.13, and 14.7.2 have been updated to use log4j 2.16.0, which closes this vulnerability by disabling lookups in log messages by default.

Instructions

Customers are recommended to upgrade to the latest brXM version available.

Note that these versions include a narrow fix to allow (known safe) JNDI usage for the specific purpose of routing log messages to separate files based on the webapp context. This fix relies on the specific JNDI name 'logging/contextName' as described in our documentation. If your project has changed this name, change your config to use the recommended name or remove the LookupFilter configuration entirely, or log file output will be entirely suppressed after upgrading the brXM (or log4j) version.