In the library log4j 2 detected another Vulnerability ( CVE-2021-45105 ), which, unlike two past problems, is assigned to the category of dangerous but not critical. The new problem allows you to call a refusal to maintain and manifests itself in the form of looping and emergency completion when processing certain lines. Vulnerability is eliminated in published a few hours ago by the release of log4j 2.17 . The danger of vulnerability smoothes that the problem is manifested only on systems with Java 8.
Vulnerabilities are subject to systems using contextable requests, such as $ {CTX: VAR} when determining the output format. In the versions of the log4j, starting with 2.0-Alpha1 and ending 2.16.0, there was no protection against uncontrolled recursion, which allowed the attacker through the manipulation with the value used in the substitution, cause a looping, leading to the exhaustion of the place in the stack and the emergency completion of the process. In particular, the problem arose when substituting such values as “$ {$ {:: – $ {:: $$ {:: – j}}}}”.
Additionally, it can be noted that researchers from the company Blumira offered An option attack on vulnerable Java applications, Not accepting external network requests, for example, you can attack the system of developers or users of Java applications. The essence of the method is that if there is a vulnerable Java-processes on the user system, taking network connections only from a local host (localhost), or processing RMI – Remote Method Invocation, 1099 port), the attack can be made by JavaScript-code executed when opening users in a malicious page browser.
To organize a java-application connection connection with a similar attack, the Websocket API is used to which the SAME-ORIGIN limitations cannot be used, as opposed to HTTP requests (Websocket can also be used to scan network ports on a local host to determine the available network handlers. ).
