Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2021-45105

UNKNOWN
Published 2021-12-18T11:55:08
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2021-45105. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Apache Software Foundation

Apache Log4j2

Affected Versions:

log4j-core

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion

GHSA-p6xc-xr62-6r2g

Advisory Details

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. # Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.

Affected Packages

Maven org.apache.logging.log4j:log4j-core
ECOSYSTEM: ≥2.4.0 <2.12.3
Maven org.apache.logging.log4j:log4j-core
ECOSYSTEM: ≥2.13.0 <2.17.0
Maven org.apache.logging.log4j:log4j-core
ECOSYSTEM: ≥0 <2.3.1
Maven org.ops4j.pax.logging:pax-logging-log4j2
ECOSYSTEM: ≥1.8.0 <1.9.2
Maven org.ops4j.pax.logging:pax-logging-log4j2
ECOSYSTEM: ≥1.10.0 <1.10.9
Maven org.ops4j.pax.logging:pax-logging-log4j2
ECOSYSTEM: ≥1.11.0 <1.11.12
Maven org.ops4j.pax.logging:pax-logging-log4j2
ECOSYSTEM: ≥2.0.0 <2.0.13

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-45105
WEB https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
WEB https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf
WEB https://lists.debian.org/debian-lts-announce/2021/12/msg00017.html
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ
WEB https://logging.apache.org/log4j/2.x/security.html
WEB https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
WEB https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
WEB https://security.netapp.com/advisory/ntap-20211218-0001
WEB https://www.debian.org/security/2021/dsa-5024
WEB https://www.kb.cert.org/vuls/id/930724
WEB https://www.oracle.com/security-alerts/cpuapr2022.html
WEB https://www.oracle.com/security-alerts/cpujan2022.html
WEB https://www.oracle.com/security-alerts/cpujul2022.html
WEB https://www.zerodayinitiative.com/advisories/ZDI-21-1541
WEB http://www.openwall.com/lists/oss-security/2021/12/19/1

Advisory provided by GitHub Security Advisory Database. Published: December 18, 2021, Modified: May 9, 2025

References

https://logging.apache.org/log4j/2.x/security.html
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
https://www.kb.cert.org/vuls/id/930724
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
http://www.openwall.com/lists/oss-security/2021/12/19/1
https://www.debian.org/security/2021/dsa-5024
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
https://security.netapp.com/advisory/ntap-20211218-0001/
https://www.zerodayinitiative.com/advisories/ZDI-21-1541/
https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
Published: 2021-12-18T11:55:08
Last Modified: 2024-08-04T04:39:20.295Z
Copied to clipboard!