Fluid Attacks Database

Description

Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Affected packages

Only the org.apache.logging.log4j:log4j-core package is directly affected by this vulnerability. The org.apache.logging.log4j:log4j-api should be kept at the same version as the org.apache.logging.log4j:log4j-core package to ensure compatability if in use.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.apache.logging.log4j:log4j-api	<0	2.12.3, 2.17.0
maven	org.apache.logging.log4j:log4j-core	>=2.4.0 <2.12.3 \|\| >=2.13.0 <2.17.0 \|\| >=0 <2.3.1	2.12.3, 2.17.0, 2.3.1
maven	org.ops4j.pax.logging:pax-logging-log4j2	>=1.8.0 <1.9.2 \|\| >=1.10.0 <1.10.9 \|\| >=1.11.0 <1.11.12 \|\| >=2.0.0 <2.0.13	1.9.2, 1.10.9, 1.11.12, 2.0.13
debian 11	apache-log4j2	=2.13.3-1 \|\| =2.15.0-1 \|\| =2.15.0-1~deb10u1 \|\| =2.15.0-1~deb11u1 \|\| =2.16.0-1 \|\| =2.16.0-1~deb10u1 \|\| =2.16.0-1~deb11u1 \|\| =2.17.0-1~deb10u1 \|\| >=0 <2.17.0-1~deb11u1	2.17.0-1~deb11u1
debian 13	apache-log4j2	>=0 <2.17.0-1	2.17.0-1
debian 14	apache-log4j2	>=0 <2.17.0-1	2.17.0-1
debian 12	apache-log4j2	>=0 <2.17.0-1	2.17.0-1

Aliases

1. CVE-2021-451052. NVD-2021-451053. OSV-2021-451054. OSV-DEBIAN-2021-451055. GHSA-p6xc-xr62-6r2g6. GCVE-2021-451057. lists.debian.org8. SECURITY-TRACKER-CVE-2021-45105

References

1. https://logging.apache.org/log4j/2.x/security.html2. https://security.netapp.com/advisory/ntap-20211218-0001/3. https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf4. https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf5. https://lists.fedoraproject.org/archives/list/[email protected]/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/6. https://lists.fedoraproject.org/archives/list/[email protected]/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/7. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-00328. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd9. https://www.debian.org/security/2021/dsa-502410. https://www.kb.cert.org/vuls/id/93072411. https://www.zerodayinitiative.com/advisories/ZDI-21-1541/12. http://www.openwall.com/lists/oss-security/2021/12/19/113. https://www.oracle.com/security-alerts/cpujan2022.html14. https://vulncheck.com/cve/CVE-2021-4510515. https://github.com/cckuailong/Log4j_dos_CVE-2021-4510516. https://lists.fedoraproject.org/archives/list/[email protected]/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY17. https://lists.fedoraproject.org/archives/list/[email protected]/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ18. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd19. https://security.netapp.com/advisory/ntap-20211218-000120. https://www.oracle.com/security-alerts/cpuapr2022.html21. https://www.oracle.com/security-alerts/cpujul2022.html22. https://www.zerodayinitiative.com/advisories/ZDI-21-1541

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.