No, the details in the CVE should be enough for you to determine that. We 
simply looked at the source code and determined what the reporter found was 
correct.

Note that Log4j 1.x reached end-of-life in 2015. No one on the Apache Logging 
Services project has worked with it for many years.

Ralph

> On Apr 21, 2023, at 5:52 AM, Marián Konček <mkon...@redhat.com> wrote:
> 
> Would it be possible to provide more details of concerned classes which cause 
> the DDOS or give an example how to reproduce this?
> 
> On 2023/03/10 13:37:22 Arnout Engelen wrote:
> > Severity: low
> >
> > Description:
> >
> > ** UNSUPPORTED WHEN ASSIGNED **
> >
> > When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE 
> > less than 1.7, an attacker that manages to cause a logging entry involving 
> > a specially-crafted (ie, deeply nested)
> > hashmap or hashtable (depending on which logging component is in use) to be 
> > processed could exhaust the available memory in the virtual machine and 
> > achieve Denial of Service when the object is deserialized.
> >
> > This issue affects Apache Log4j before 2. Affected users are recommended to 
> > update to Log4j 2.x.
> >
> > NOTE: This vulnerability only affects products that are no longer supported 
> > by the maintainer.
> >
> > Credit:
> >
> > Garrett Tucker of Red Hat (reporter)
> >
> > References:
> >
> > https://logging.apache.org/
> > https://www.cve.org/CVERecord?id=CVE-2023-26464
> >
> >
> 
> -- 
> Marián Konček
> 

Reply via email to