DSA-5024-1 apache-log4j2 -- liblog4j2-javaID: oval:org.secpod.oval:def:76503 | Date: (C)2021-12-21 (M)2023-11-10 |
Class: PATCH | Family: unix |
It was found that Apache Log4j2, a Logging Framework for Java, did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup , attackers with control over Thread Context Map input data can craft malicious input data that contains a recursive lookup, resulting in a denial of service.