CVE-2021-45105
MEDIUMCVSS 5.9/10EPSS 100.00%
Last modified
CVE-2021-45105 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. EPSS estimates a 100.00% chance of exploitation in the next 30 days.
Description
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
100.0th percentile
Probability of exploitation in the next 30 days. Learn more
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Log4j | >= 2.0, < 2.3.1 |
| Apache | Log4j | >= 2.4, < 2.12.3 |
| Apache | Log4j | >= 2.13.0, <= 2.16.0 |
| Netapp | Cloud Manager | All versions |
| Debian | Debian Linux | 10.0 |
| Debian | Debian Linux | 11.0 |
| Sonicwall | Email Security | <= 10.0.12 |
| Sonicwall | Network Security Manager | >= 2.0, < 3.0 |
| Sonicwall | Web Application Firewall | >= 3.0.0, < 3.1.0 |
| Sonicwall | 6bk1602-0aa12-0tp0 Firmware | < 2.7.0 |
| Sonicwall | 6bk1602-0aa22-0tp0 Firmware | < 2.7.0 |
| Sonicwall | 6bk1602-0aa32-0tp0 Firmware | < 2.7.0 |
| Sonicwall | 6bk1602-0aa42-0tp0 Firmware | < 2.7.0 |
| Sonicwall | 6bk1602-0aa52-0tp0 Firmware | < 2.7.0 |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Agile Plm Mcad Connector | 3.6 |
| Oracle | Autovue For Agile Product Lifecycle Management | 21.0.2 |
| Oracle | Banking Deposits And Lines Of Credit Servicing | 2.12.0 |
| Oracle | Banking Enterprise Default Management | 2.7.1 |
| Oracle | Banking Enterprise Default Management | 2.12.0 |
| Oracle | Banking Loans Servicing | 2.12.0 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Banking Payments | 14.5 |
| Oracle | Banking Platform | 2.6.2 |
| Oracle | Banking Platform | 2.7.1 |
| Oracle | Banking Platform | 2.12.0 |
| Oracle | Banking Trade Finance | 14.5 |
| Oracle | Banking Treasury Management | 14.5 |
| Oracle | Business Intelligence | 5.5.0.0.0 |
| Oracle | Communications Asap | 7.3 |
| Oracle | Communications Billing And Revenue Management | 12.0.0.4 |
| Oracle | Communications Billing And Revenue Management | 12.0.0.5 |
| Oracle | Communications Cloud Native Core Console | 1.9.0 |
| Oracle | Communications Cloud Native Core Network Function Cloud Native Environment | 1.10.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 1.15.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 1.15.1 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.8.0 |
| Oracle | Communications Cloud Native Core Policy | 1.15.0 |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 1.7.0 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.15.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.15.0 |
| Oracle | Communications Convergence | 3.0.2.2.0 |
| Oracle | Communications Convergence | 3.0.3.0 |
| Oracle | Communications Convergent Charging Controller | >= 12.0.1.0.0, <= 12.0.4.0.0 |
| Oracle | Communications Convergent Charging Controller | 6.0.1.0.0 |
| Oracle | Communications Diameter Signaling Router | >= 8.3.0.0, <= 8.5.1.0 |
| Oracle | Communications Eagle Element Management System | 46.6 |
| Oracle | Communications Eagle Ftp Table Base Retrieval | 4.5 |
| Oracle | Communications Element Manager | < 9.0 |
Showing 50 of 207 affected configurations. See NVD for the full list.
References
- http://www.openwall.com/lists/oss-security/2021/12/19/1Mailing List, Mitigation, Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdfThird Party Advisory
- https://logging.apache.org/log4j/2.x/security.htmlRelease Notes, Vendor Advisory
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211218-0001/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5024Third Party Advisory
- https://www.kb.cert.org/vuls/id/930724Third Party Advisory, US Government Resource
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
- https://www.zerodayinitiative.com/advisories/ZDI-21-1541/Third Party Advisory, VDB Entry
- http://www.openwall.com/lists/oss-security/2021/12/19/1Mailing List, Mitigation, Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdfThird Party Advisory
- https://logging.apache.org/log4j/2.x/security.htmlRelease Notes, Vendor Advisory
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211218-0001/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5024Third Party Advisory
- https://www.kb.cert.org/vuls/id/930724Third Party Advisory, US Government Resource
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
- https://www.zerodayinitiative.com/advisories/ZDI-21-1541/Third Party Advisory, VDB Entry
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-45105?
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
How severe is CVE-2021-45105?
CVE-2021-45105 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 100.00% probability of exploitation in the next 30 days.
How do I fix CVE-2021-45105?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-45105?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST