Apache Log4j Core Rfc5424Layout Log Injection Vulnerability

A log injection vulnerability has been identified in Apache Log4j Core's Rfc5424Layout, affecting versions 2.21.0 prior to 2.25.4. The vulnerability arises from undocumented renames of security-relevant configuration attributes, leading to CRLF injection via stream-based syslog services. Specifically, the newLineEscape attribute was renamed, disrupting newline escaping for TCP framing users, and the useTlsMessageFormat attribute was renamed, downgrading TLS users to unframed TCP without newline escaping. This issue does not impact users of the SyslogAppender, as its configuration attributes remain unchanged.

Impact

Exploitation of this vulnerability allows for log injection via CRLF sequences, creating a false log entry that could disrupt the integrity of log management systems and potentially obscure malicious activities.

Reproduction

To reproduce this vulnerability, configure an application to use Apache Log4j Core Rfc5424Layout version 2.21.0 prior to 2.25.4, and set up a stream-based syslog service over TCP framing (RFC 6587) or TLS framing (RFC 5425) without the appropriate newline escaping. This can be done by manually renaming the 'newLineEscape' and 'useTlsMessageFormat' attributes in the Rfc5424Layout configuration, or by using a version of Log4j that has not yet been updated to address this issue.

Remediation

Upgrade to Apache Log4j Core version 2.25.4, which restores the correct attribute names and functionality. After upgrading, verify that the Rfc5424Layout is properly configured for the intended syslog framing.