Struggling to find cloud security expertise?

Our dashboards correlate events across the multi cloud and on-premise, Reduce resolution time time by 95%

Start Risk Assessment

Webinar

AI-LLM-webinar-card
1/4

eBook

ebook

Get eBook worth $199 for Free

DOWNLOAD NOW
2/4

Blog

mssp

Why AccuKnox is the most MSSP Ready CNAPP?

LEARN MORE
3/4

Comparison

Comparison

Searching for Alternative CNAPP?

COMPARE NOW
4/4
cve 20 21 45105 min 1 1

CVE-20 21-45105 Stack Overflow Error due to Recursive Lookups

 |  December 18, 2021

Another important vulnerability CVE-20 21-45105 for Log4J was discovered. This vulnerability involves Apache Log4j2  not being able to protect from infinite recursion in lookup evaluation. This vulnerability has been upgraded in Log4J versioion 2.17.0 for Java 8 and up. The easiest way to mitigate this vulnerability is to upgrade log4j. The following details have been published […]

Reading Time: 2 minutes

Another important vulnerability CVE-20 21-45105 for Log4J was discovered. This vulnerability involves Apache Log4j2  not being able to protect from infinite recursion in lookup evaluation.

This vulnerability has been upgraded in Log4J versioion 2.17.0 for Java 8 and up. The easiest way to mitigate this vulnerability is to upgrade log4j.

The following details have been published from https://logging.apache.org/log4j/2.x/index.html

Deep dive: What is this vulnerability and what kind of attack does this lead to?

This vulnerability is a Denial of Service attack that happens through the following steps:

  1. Attackers craft malicious input
  2. If the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}),
  3. and if attackers craft malicious input
  4. The malicious input can cause recursive lookups
  5. Recursive lookups cause Denial of Service (DOS) attack to due StackOverflowError that will cause a termination of the process attacked.

Mitigation as suggested by the Log4J team:

  • In PatternLayout in the logging configuration, </span >replace Context Lookups like ${ctx:loginId}or $${ctx:loginId} with Thread Context Map patterns (%X,%mdc, or %MDC).
  • Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

MDC or Mapped Diagnostic Context allows applications to log in scenarios with multiple threads and multiple simultaneous clients where mapped information can be stored for individual clients in an MDC which is a  ThreadLocal. A ThreadLocal class provides thread-local variables.

The Context lookups like ${ctx:loginId}or $${ctx:loginId}  lead to a recursive call with the right kind of malicious input. Details at https://issues.apache.org/jira/browse/LOG4J2-3230

CVE 20 21 45105StackOverflow

Mitigating with Accuknox Open source Repo:

Apply mitigations with Accuknox’s open sourced policy repo for Log4J vulnerabilities at the following URL https://github.com/kubearmor/log4j-CVE-2021-44228

The primary approach to mitigation for this is to block any malicious input for older versions, and follow mitigations suggested by the Log4J team by disabling recursive lookups or the best solution upgrade the Log4J  + Apply Accuknox policy templates on the repo at https://github.com/kubearmor/log4j-CVE-2021-44228

Ready for a personalized security assessment?

“Choosing AccuKnox was driven by opensource KubeArmor’s novel use of eBPF and LSM technologies, delivering runtime security”

idt

Golan Ben-Oni

Chief Information Officer

“At Prudent, we advocate for a comprehensive end-to-end methodology in application and cloud security. AccuKnox excelled in all areas in our in depth evaluation.”

prudent

Manoj Kern

CIO

“Tible is committed to delivering comprehensive security, compliance, and governance for all of its stakeholders.”

tible

Merijn Boom

Managing Director

Please enable JavaScript in your browser to complete this form.