java.log4j.security.log4j-message-lookup-injection.log4j-message-lookup-injection

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

Possible Lookup injection into Log4j messages. Lookups provide a way to add values to the Log4j messages at arbitrary places. If the message parameter contains an attacker controlled string, the attacker could inject arbitrary lookups, for instance '${java:runtime}'. This could lead to information disclosure or even remote code execution if 'log4j2.formatMsgNoLookups' is disabled. This was disabled by default until version 2.15.0.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: log4j-message-lookup-injection
    metadata:
      cwe:
        - "CWE-74: Improper Neutralization of Special Elements in Output Used by
          a Downstream Component ('Injection')"
      owasp:
        - A03:2021 - Injection
      source-rule-url: https://www.lunasec.io/docs/blog/log4j-zero-day/
      references:
        - https://issues.apache.org/jira/browse/LOG4J2-3198
        - https://www.lunasec.io/docs/blog/log4j-zero-day/
        - https://logging.apache.org/log4j/2.x/manual/lookups.html
      category: security
      technology:
        - java
      confidence: LOW
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: Possible Lookup injection into Log4j messages. Lookups provide a way to
      add values to the Log4j messages at arbitrary places. If the message
      parameter contains an attacker controlled string, the attacker could
      inject arbitrary lookups, for instance '${java:runtime}'. This could lead
      to information disclosure or even remote code execution if
      'log4j2.formatMsgNoLookups' is disabled. This was disabled by default
      until version 2.15.0.
    mode: taint
    pattern-sources:
      - patterns:
          - pattern: public $T $M(...)
    pattern-sinks:
      - patterns:
          - pattern: |
              (org.apache.log4j.Logger $L).$M(...)
    severity: WARNING
    languages:
      - java

Examples

log4j-message-lookup-injection.java

import org.apache.log4j.Logger;

import java.io.*;
import java.util.*;

public class VulnerableLog4jExampleHandler implements HttpHandler {

  static Logger log = Logger.getLogger(log4jExample.class.getName());

  public void handle(HttpExchange he) throws IOException {
    string userAgent = he.getRequestHeader("user-agent");
    // ruleid: log4j-message-lookup-injection
    log.info("Request User Agent:" + userAgent);

  }
}