{"containers":{"cna":{"affected":[{"product":"Apache Log4j2","vendor":"Apache Software Foundation","versions":[{"changes":[{"at":"2.13.0","status":"affected"},{"at":"2.12.3","status":"unaffected"},{"at":"2.4","status":"affected"},{"at":"2.3.1","status":"unaffected"},{"at":"2.0-alpha1","status":"affected"}],"lessThan":"2.17.0","status":"affected","version":"log4j-core","versionType":"custom"}]}],"credits":[{"lang":"en","value":"Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro’s Zero Day Initiative, and another anonymous vulnerability researcher"}],"descriptions":[{"lang":"en","value":"Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1."}],"metrics":[{"other":{"content":{"other":"high"},"type":"unknown"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-20","description":"CWE-20 Improper Input Validation","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-674","description":"CWE-674: Uncontrolled Recursion","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2022-07-25T16:41:57.000Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"tags":["x_refsource_MISC"],"url":"https://logging.apache.org/log4j/2.x/security.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"},{"name":"VU#930724","tags":["third-party-advisory","x_refsource_CERT-VN"],"url":"https://www.kb.cert.org/vuls/id/930724"},{"name":"20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021","tags":["vendor-advisory","x_refsource_CISCO"],"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"name":"[oss-security] 20211218 CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation","tags":["mailing-list","x_refsource_MLIST"],"url":"http://www.openwall.com/lists/oss-security/2021/12/19/1"},{"name":"DSA-5024","tags":["vendor-advisory","x_refsource_DEBIAN"],"url":"https://www.debian.org/security/2021/dsa-5024"},{"tags":["x_refsource_CONFIRM"],"url":"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"},{"tags":["x_refsource_CONFIRM"],"url":"https://security.netapp.com/advisory/ntap-20211218-0001/"},{"tags":["x_refsource_MISC"],"url":"https://www.zerodayinitiative.com/advisories/ZDI-21-1541/"},{"tags":["x_refsource_CONFIRM"],"url":"https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"source":{"defect":["LOG4J2-3230"],"discovery":"UNKNOWN"},"title":"Apache Log4j2 does not always protect from infinite recursion in lookup evaluation","workarounds":[{"lang":"en","value":"Implement one of the following mitigation techniques:\n\n* Java 8 (or later) users should upgrade to release 2.17.0.\n\nAlternatively, this can be mitigated in configuration:\n\n* In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC).\n* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate \nfrom sources external to the application such as HTTP headers or user input."}],"x_generator":{"engine":"Vulnogram 0.0.9"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2021-45105","STATE":"PUBLIC","TITLE":"Apache Log4j2 does not always protect from infinite recursion in lookup evaluation"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Log4j2","version":{"version_data":[{"version_affected":"<","version_name":"log4j-core","version_value":"2.17.0"},{"version_affected":">=","version_name":"log4j-core","version_value":"2.13.0"},{"version_affected":"<","version_name":"log4j-core","version_value":"2.12.3"},{"version_affected":">=","version_name":"log4j-core","version_value":"2.4"},{"version_affected":"<","version_name":"log4j-core","version_value":"2.3.1"},{"version_affected":">=","version_name":"log4j-core","version_value":"2.0-alpha1"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"credit":[{"lang":"eng","value":"Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro’s Zero Day Initiative, and another anonymous vulnerability researcher"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":[{"other":"high"}],"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20 Improper Input Validation"}]},{"description":[{"lang":"eng","value":"CWE-674: Uncontrolled Recursion"}]}]},"references":{"reference_data":[{"name":"https://logging.apache.org/log4j/2.x/security.html","refsource":"MISC","url":"https://logging.apache.org/log4j/2.x/security.html"},{"name":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032","refsource":"CONFIRM","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"},{"name":"VU#930724","refsource":"CERT-VN","url":"https://www.kb.cert.org/vuls/id/930724"},{"name":"20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021","refsource":"CISCO","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"name":"[oss-security] 20211218 CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation","refsource":"MLIST","url":"http://www.openwall.com/lists/oss-security/2021/12/19/1"},{"name":"DSA-5024","refsource":"DEBIAN","url":"https://www.debian.org/security/2021/dsa-5024"},{"name":"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf","refsource":"CONFIRM","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"},{"name":"https://security.netapp.com/advisory/ntap-20211218-0001/","refsource":"CONFIRM","url":"https://security.netapp.com/advisory/ntap-20211218-0001/"},{"name":"https://www.zerodayinitiative.com/advisories/ZDI-21-1541/","refsource":"MISC","url":"https://www.zerodayinitiative.com/advisories/ZDI-21-1541/"},{"name":"https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf","refsource":"CONFIRM","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"},{"name":"https://www.oracle.com/security-alerts/cpujan2022.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"name":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"name":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}]},"source":{"defect":["LOG4J2-3230"],"discovery":"UNKNOWN"},"work_around":[{"lang":"en","value":"Implement one of the following mitigation techniques:\n\n* Java 8 (or later) users should upgrade to release 2.17.0.\n\nAlternatively, this can be mitigated in configuration:\n\n* In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC).\n* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate \nfrom sources external to the application such as HTTP headers or user input."}]}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T04:39:20.295Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://logging.apache.org/log4j/2.x/security.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"},{"name":"VU#930724","tags":["third-party-advisory","x_refsource_CERT-VN","x_transferred"],"url":"https://www.kb.cert.org/vuls/id/930724"},{"name":"20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021","tags":["vendor-advisory","x_refsource_CISCO","x_transferred"],"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"name":"[oss-security] 20211218 CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2021/12/19/1"},{"name":"DSA-5024","tags":["vendor-advisory","x_refsource_DEBIAN","x_transferred"],"url":"https://www.debian.org/security/2021/dsa-5024"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://security.netapp.com/advisory/ntap-20211218-0001/"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.zerodayinitiative.com/advisories/ZDI-21-1541/"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"}]}]},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2021-45105","datePublished":"2021-12-18T11:55:08.000Z","dateReserved":"2021-12-16T00:00:00.000Z","dateUpdated":"2024-08-04T04:39:20.295Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}