CVE-2021-45105: Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion
(updated )
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
References
- cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
- cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf
- github.com/advisories/GHSA-p6xc-xr62-6r2g
- lists.debian.org/debian-lts-announce/2021/12/msg00017.html
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ
- logging.apache.org/log4j/2.x/security.html
- nvd.nist.gov/vuln/detail/CVE-2021-45105
- psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
- sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- security.netapp.com/advisory/ntap-20211218-0001
- www.debian.org/security/2021/dsa-5024
- www.kb.cert.org/vuls/id/930724
- www.oracle.com/security-alerts/cpuapr2022.html
- www.oracle.com/security-alerts/cpujan2022.html
- www.oracle.com/security-alerts/cpujul2022.html
- www.zerodayinitiative.com/advisories/ZDI-21-1541
Code Behaviors & Features
Detect and mitigate CVE-2021-45105 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →