Vulnerability identifier: #VU59051
Vulnerability risk: Medium
CVSSv3.1:
CVE-ID:
CWE-ID:
CWE-835
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Apache Log4j
Universal components / Libraries /
Libraries used by multiple products
Vendor: Apache Foundation
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the StrSubstitutor class. A remote attacker can pass specially crafted input to the application, consume all available system resources and cause denial of service conditions.
Payload example: ${${::-${::-$${::-j}}}}
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Apache Log4j: 2.8 - 2.16.0
CPE
External links
http://issues.apache.org/jira/browse/LOG4J2-3230
http://logging.apache.org/log4j/2.x/security.html
http://www.zerodayinitiative.com/advisories/ZDI-21-1541/
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?