CVE-2021-45105

CWE-20 — Improper Input Validation CWE-674 — Uncontrolled Recursion CWE-502 — Deserialization of Untrusted Data CWE-400 — Uncontrolled Resource Consumption CWE-83527 documents17 sources

Severity

5.9MEDIUM

EPSS

70.4%

top 1.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

116

Apache Software Foundation Apache Log4j2 Apache Log4j Oracle Communications Element Manager +113 more

Timeline

PublishedDec 18

Latest updateJan 15

Description

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages119 packages

▶CVEListV5apache_software_foundation/apache_log4j2log4j-core — 2.17.0

▶Debianapache-log4j2< 2.17.0-1~deb11u1+3

▶NVDapache/log4j2.0 — 2.3.1+2

▶Mavenorg.apache.logging.log4j:log4j-core2.4.0 — 2.12.3+2

▶Mavenorg.ops4j.pax.logging:pax-logging-log4j21.8.0 — 1.9.2+3

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

apache-log4j2 vulnerabilities↗2022-01-11

▶

GHSA

Remote code injection, Improper Input Validation and Uncontrolled Recursion in Log4j library↗2022-01-06

▶

OSV

Remote code injection, Improper Input Validation and Uncontrolled Recursion in Log4j library↗2022-01-06

▶

OSV

CVE-2021-45105: Apache Log4j2 versions 2↗2021-12-18

▶

OSV

Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion↗2021-12-18

▶

🔍Detection Rules

Suricata

ET EXPLOIT Possible Apache log4j Uncontrolled Recursion Lookup (CVE-2021-45105)↗2021-12-22

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Core (Apache Log4j) — CVE-2021-45105↗2026-01-15

▶

Oracle

Oracle Oracle Utilities Applications Risk Matrix: System Wide (Apache Log4j) — CVE-2021-45105↗2023-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Integration (Apache Log4j) — CVE-2021-45105↗2022-01-15

▶

Ubuntu

Apache Log4j 2 vulnerabilities↗2022-01-11

▶

Ubuntu

Apache Log4j 2 vulnerability↗2021-12-19

▶

🕵️Threat Intelligence

Sentinelone

Log4j One Month On | Crimeware and Exploitation Roundup↗2022-01-10

▶

Sentinelone

Log4j One Month On | Crimeware and Exploitation Roundup↗2022-01-10

▶

Securelist

Answering Log4Shell-related questions↗2021-12-20

▶

Unit42

Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228) (Updated)↗2021-12-10

▶