Log4j Disable Literal Pattern Converter #46
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cliveverghese
force-pushed
the
recursion
branch
from
f7cc7b6 to
142b8a0
Compare
cliveverghese
force-pushed
the
recursion
branch
from
142b8a0 to
4d43a6c
Compare
lutkerd
reviewed
Dec 23, 2021
| echo "Running Literal Pattern Converter JDK${JVM_MV} Test" | ||
| echo "------------------" | ||
|
|
||
| start_dos_test ${JDK_DIR} ${AGENT_JAR} |
There was a problem hiding this comment.
You need to capture the pid of the process and kill it later.
Comment on lines
+47
to
+50
| public static boolean isEnabled(String args) { | ||
| String param = "--enable-" + NAME; | ||
| return args != null && args.contains(param); | ||
| } |
There was a problem hiding this comment.
I don't think isEnabled is in the current implementation
|
|
||
| @Override | ||
| public int getVersion() { | ||
| return 2; |
There was a problem hiding this comment.
Is the version for the patchset, if so this is version 1 of Log4j2PatchSetWithDisableLookups.
| local agent_jar=$2 | ||
|
|
||
| pushd "${ROOT_DIR}/test" > /dev/null | ||
| ${jdk_dir}/bin/java -cp log4j-core-2.12.1.jar:log4j-api-2.12.1.jar:. -Dlog4j2.configurationFile=${ROOT_DIR}/src/test/resources/log4j-vuln2.properties -javaagent:${agent_jar}=patcherClassName=com.amazon.corretto.hotpatch.patch.impl.set.Log4j2PatchSetWithDisableLookups Vuln2 > /tmp/vuln2.log & |
There was a problem hiding this comment.
Can you hotpatch with this? If so please add tests and doc updates
| restarting the Java process. This tool will also address | ||
| [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046/). | ||
|
|
||
| To Patch for [CVE-2021-45105](https://nvd.nist.gov/vuln/detail/CVE-2021-45105), you can run the tool with the following |
There was a problem hiding this comment.
Please expand on when/why some one would need to patch for this and what the side effects of it are.
| @@ -46,6 +46,19 @@ function start_static_target() { | |||
| popd > /dev/null | |||
| } | |||
|
|
|||
| function start_dos_test() { | |||
There was a problem hiding this comment.
Can you add a test that verifies by default the dos patcher is not active?
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Although
-DformatMsgNoLookups=trueprevents lookups directly in the message, Format Lookups are possible when reading a property from the ThreadContext/MDC in the pattern for the message. On certain scenarios, this can cause a StackOverflow through recursive lookups as described on CVE-2021-45105.This patch disables lookups in Message Pattern by patching LiteralPatternConverter.
The patch for LiteralPatternConverter is not enabled by default and can be enabled using the following parameters