popup cross
Please enable JavaScript in your browser to complete this form.

See AccuKnox in Action

Meet our security experts to understand risk assessment in depth

Name
Checkbox Items

For information on how we comply with data privacy practices, please review our Privacy Policy.

search logo search cross
Get a demo

CVE-20 21-45105 Stack Overflow Error due to Recursive Lookups

by AccuKnox Team | December 01, 2023

Another important vulnerability CVE-20 21-45105 for Log4J was discovered. This vulnerability involves Apache Log4j2  not being able to protect from infinite recursion in lookup evaluation. This vulnerability has been upgraded in Log4J versioion 2.17.0 for Java 8 and up. The easiest way to mitigate this vulnerability is to upgrade log4j. The following details have been published […]

Reading Time: 2 minutes

Table of Contents

Another important vulnerability CVE-20 21-45105 for Log4J was discovered. This vulnerability involves Apache Log4j2  not being able to protect from infinite recursion in lookup evaluation.

This vulnerability has been upgraded in Log4J versioion 2.17.0 for Java 8 and up. The easiest way to mitigate this vulnerability is to upgrade log4j.

The following details have been published from https://logging.apache.org/log4j/2.x/index.html

Deep dive: What is this vulnerability and what kind of attack does this lead to?

This vulnerability is a Denial of Service attack that happens through the following steps:

  1. Attackers craft malicious input
  2. If the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}),
  3. and if attackers craft malicious input
  4. The malicious input can cause recursive lookups
  5. Recursive lookups cause Denial of Service (DOS) attack to due StackOverflowError that will cause a termination of the process attacked.

Mitigation as suggested by the Log4J team:

  • In PatternLayout in the logging configuration, </span >replace Context Lookups like ${ctx:loginId}or $${ctx:loginId} with Thread Context Map patterns (%X,%mdc, or %MDC).
  • Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

MDC or Mapped Diagnostic Context allows applications to log in scenarios with multiple threads and multiple simultaneous clients where mapped information can be stored for individual clients in an MDC which is a  ThreadLocal. A ThreadLocal class provides thread-local variables.

The Context lookups like ${ctx:loginId}or $${ctx:loginId}  lead to a recursive call with the right kind of malicious input. Details at https://issues.apache.org/jira/browse/LOG4J2-3230

Mitigating with Accuknox Open source Repo:

Apply mitigations with Accuknox’s open sourced policy repo for Log4J vulnerabilities at the following URL https://github.com/kubearmor/log4j-CVE-2021-44228

The primary approach to mitigation for this is to block any malicious input for older versions, and follow mitigations suggested by the Log4J team by disabling recursive lookups or the best solution upgrade the Log4J  + Apply Accuknox policy templates on the repo at https://github.com/kubearmor/log4j-CVE-2021-44228

Secure your workloads

side-banner Explore Marketplace

*No strings attached, limited period offer!

  • Schedule 1:1 Demo
  • Product Tour

On an average Zero Day Attacks cost $3.9M

why accuknox logo
Marketplace Icon

4+

Marketplace Listings

Regions Icon

7+

Regions

Compliance Icon

33+

Compliance Coverage

Integration Icon

37+

Integrations Support

founder-image

Prevent attacks
before they happen!

Schedule 1:1 Demo

See interactive use cases in action

Experience easy to execute use cases; such as attack defences, risk assessment, and more.

Please enable JavaScript in your browser to complete this form.