CVE-2021-45105

Description

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

CVSS Metrics

• v3.1•MEDIUM•Score: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
• v3.1•HIGH•Score: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
• v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 74.02%• Percentile: 99%

Techniques & Countermeasures

• CWE-20•Improper Input Validation

  The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

• CWE-674•Uncontrolled Recursion

  The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Systems

• apache software foundation•apache log4j2

  ≥ log4j-core, < 2.17.0

• apache•log4j

  ≥ 2.0, < 2.3.1 | ≥ 2.4, < 2.12.3 | ≥ 2.13.0, ≤ 2.16.0

• debian•debian_linux

  10.0 | 11.0

• org.apache.logging.log4j•log4j-core

  ≥ 2.4.0, < 2.12.3 | ≥ 2.13.0, < 2.17.0 | < 2.3.1

• org.ops4j.pax.logging•pax-logging-log4j2

  ≥ 1.8.0, < 1.9.2 | ≥ 1.10.0, < 1.10.9 | ≥ 1.11.0, < 1.11.12 | ≥ 2.0.0, < 2.0.13

• netapp•cloud_manager

  na

• oracle•agile_engineering_data_management

  6.2.1.0

• oracle•agile_plm

  9.3.6

• oracle•agile_plm_mcad_connector

  3.6

• oracle•autovue_for_agile_product_lifecycle_management

  21.0.2

• oracle•banking_deposits_and_lines_of_credit_servicing

  2.12.0

• oracle•banking_enterprise_default_management

  2.7.1 | 2.12.0

• oracle•banking_loans_servicing

  2.12.0

• oracle•banking_party_management

  2.7.0

• oracle•banking_payments

  14.5

• oracle•banking_platform

  2.6.2 | 2.7.1 | 2.12.0

• oracle•banking_trade_finance

  14.5

• oracle•banking_treasury_management

  14.5

• oracle•business_intelligence

  5.5.0.0.0

• oracle•communications_asap

  7.3

• oracle•communications_billing_and_revenue_management

  12.0.0.4 | 12.0.0.5

• oracle•communications_cloud_native_core_console

  1.9.0

• oracle•communications_cloud_native_core_network_function_cloud_native_environment

  1.10.0

• oracle•communications_cloud_native_core_network_repository_function

  1.15.0 | 1.15.1

• oracle•communications_cloud_native_core_network_slice_selection_function

  1.8.0

• oracle•communications_cloud_native_core_policy

  1.15.0

• oracle•communications_cloud_native_core_security_edge_protection_proxy

  1.7.0

• oracle•communications_cloud_native_core_service_communication_proxy

  1.15.0

• oracle•communications_cloud_native_core_unified_data_repository

  1.15.0

• oracle•communications_convergence

  3.0.2.2.0 | 3.0.3.0

• oracle•communications_convergent_charging_controller

  ≥ 12.0.1.0.0, ≤ 12.0.4.0.0 | 6.0.1.0.0

• oracle•communications_diameter_signaling_router

  ≥ 8.3.0.0, ≤ 8.5.1.0

• oracle•communications_eagle_element_management_system

  46.6

• oracle•communications_eagle_ftp_table_base_retrieval

  4.5

• oracle•communications_element_manager

  < 9.0

• oracle•communications_evolved_communications_application_server

  7.1

• oracle•communications_interactive_session_recorder

  6.3 | 6.4

• oracle•communications_ip_service_activator

  7.4.0

• oracle•communications_messaging_server

  8.1

• oracle•communications_network_charging_and_control

  ≥ 12.0.1.0.0, ≤ 12.0.4.0.0 | 6.0.1.0.0

• oracle•communications_network_integrity

  7.3.6

• oracle•communications_performance_intelligence_center

  10.4.0.3

• oracle•communications_pricing_design_center

  12.0.0.4 | 12.0.0.5

• oracle•communications_service_broker

  6.2

• oracle•communications_services_gatekeeper

  7.0

• oracle•communications_session_report_manager

  < 9.0

• oracle•communications_session_route_manager

  < 9.0

• oracle•communications_unified_inventory_management

  7.3.5 | 7.4.1 | 7.4.2

• oracle•communications_user_data_repository

  12.4

• oracle•communications_webrtc_session_controller

  7.2.0.0 | 7.2.1

Showing first 50 affected entries in server-rendered view.

References (20)

• https://logging.apache.org/log4j/2.x/security.html
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
• https://www.kb.cert.org/vuls/id/930724
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
• http://www.openwall.com/lists/oss-security/2021/12/19/1
• https://www.debian.org/security/2021/dsa-5024
• https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
• https://security.netapp.com/advisory/ntap-20211218-0001/
• https://www.zerodayinitiative.com/advisories/ZDI-21-1541/
• https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://nvd.nist.gov/vuln/detail/CVE-2021-45105
• https://lists.debian.org/debian-lts-announce/2021/12/msg00017.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
• https://security.netapp.com/advisory/ntap-20211218-0001
• https://www.zerodayinitiative.com/advisories/ZDI-21-1541