Replicating CVE-2021-45046# tejas-nagchandi/CVE-2021-45046
## Attack
## Description
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
## What is Thread Context?
Log4j introduced the concept of the Mapped Diagnostic Context or MDC.
Log4j 2 continues with the idea of the MDC and the NDC but merges them into a single Thread Context. The Thread Context Map is the equivalent of the MDC and the Thread Context Stack is the equivalent of the NDC. Although these are frequently used for purposes other than diagnosing problems, they are still frequently referred to as the MDC and NDC in Log4j 2 since they are already well known by those acronyms.
## Fish Tagging
Most real-world systems have to deal with multiple clients simultaneously. In a typical multithreaded implementation of such a system, different threads will handle different clients. Logging is especially well suited to trace and debug complex distributed applications. A common approach to differentiate the logging output of one client from another is to instantiate a new separate logger for each client. This promotes the proliferation of loggers and increases the management overhead of logging.
A lighter technique is to uniquely stamp each log request initiated from the same client interaction. Neil Harrison described this method in the book "Patterns for Logging Diagnostic Messages," in Pattern Languages of Program Design 3, edited by R. Martin, D. Riehle, and F. Buschmann (Addison-Wesley, 1997). Just as a fish can be tagged and have its movement tracked, stamping log events with a common tag or set of data elements allows the complete flow of a transaction or a request to be tracked. We call this Fish Tagging.
Log4j provides two mechanisms for performing Fish Tagging; the Thread Context Map and the Thread Context Stack. The Thread Context Map allows any number of items to be added and be identified using key/value pairs. The Thread Context Stack allows one or more items to be pushed on the Stack and then be identified by their order in the Stack or by the data itself. Since key/value pairs are more flexible, the Thread Context Map is recommended when data items may be added during the processing of the request or when there are more than one or two items.
To uniquely stamp each request using the Thread Context Stack, the user pushes contextual information on to the Stack.
## Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
https://logging.apache.org/log4j/2.x/manual/thread-context.html
[4.0K] /data/pocs/8185455f3a3bc5efc8eb05944cf5d0af5346dee9
├── [9.8K] mvnw
├── [6.5K] mvnw.cmd
├── [1.4K] pom.xml
├── [3.2K] README.md
├── [4.0K] src
│ └── [4.0K] main
│ ├── [4.0K] java
│ │ └── [4.0K] com
│ │ └── [4.0K] vulnerability
│ │ └── [ 393] TestingCVE202145046.java
│ ├── [4.0K] resources
│ │ └── [ 406] log4j2.xml
│ └── [4.0K] webapp
│ ├── [ 354] index.jsp
│ └── [4.0K] WEB-INF
│ └── [ 213] web.xml
└── [ 393] TestingCVE202145046.java
8 directories, 9 files