CVE-2021-45105

Summary

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Log4j2log4j-core < 2.17.0affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation
  • CWE-674: CWE-674: Uncontrolled Recursion

Workarounds

Implement one of the following mitigation techniques:

  • Java 8 (or later) users should upgrade to release 2.17.0.

Alternatively, this can be mitigated in configuration:

  • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
  • Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References