CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Published: Dec 18, 2021
Updated: May 9, 2024
CVE: CVE-2021-45105
GHSA: GHSA-p6xc-xr62-6r2g
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

Affected Software
References

Software	From	Fixed in
apache / log4j	2.0	2.3.1
apache / log4j	2.4	2.12.3
apache / log4j	2.13.0	2.16.0.x
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x
sonicwall / network_security_manager	2.0	3.0
sonicwall / email_security	-	10.0.12.x
sonicwall / web_application_firewall	3.0.0	3.1.0
sonicwall / 6bk1602-0aa12-0tp0_firmware	-	2.7.0
sonicwall / 6bk1602-0aa22-0tp0_firmware	-	2.7.0
sonicwall / 6bk1602-0aa32-0tp0_firmware	-	2.7.0
sonicwall / 6bk1602-0aa42-0tp0_firmware	-	2.7.0
sonicwall / 6bk1602-0aa52-0tp0_firmware	-	2.7.0
oracle / e-business_suite	12.2	12.2.x
oracle / retail_back_office	14.1	14.1.x
oracle / weblogic_server	12.2.1.3.0	12.2.1.3.0.x
oracle / webcenter_portal	12.2.1.3.0	12.2.1.3.0.x
oracle / webcenter_sites	12.2.1.3.0	12.2.1.3.0.x
oracle / managed_file_transfer	12.2.1.3.0	12.2.1.3.0.x
oracle / retail_order_broker	16.0	16.0.x
oracle / retail_integration_bus	14.1.3	14.1.3.x
oracle / retail_returns_management	14.1	14.1.x
oracle / retail_central_office	14.1	14.1.x
oracle / banking_platform	2.6.2	2.6.2.x
oracle / primavera_unifier	18.8	18.8.x
oracle / identity_management_suite	12.2.1.3.0	12.2.1.3.0.x
oracle / retail_point-of-service	14.1	14.1.x
oracle / data_integrator	12.2.1.3.0	12.2.1.3.0.x
oracle / utilities_framework	4.4.0.0.0	4.4.0.0.0.x
oracle / instantis_enterprisetrack	17.1	17.1.x
oracle / instantis_enterprisetrack	17.2	17.2.x
oracle / instantis_enterprisetrack	17.3	17.3.x
oracle / agile_plm	9.3.6	9.3.6.x
oracle / communications_unified_inventory_management	7.3.5	7.3.5.x
oracle / weblogic_server	12.2.1.4.0	12.2.1.4.0.x
oracle / flexcube_universal_banking	14.0.0	14.3.0.x
oracle / business_intelligence	5.5.0.0.0	5.5.0.0.0.x
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
oracle / primavera_unifier	19.12	19.12.x
oracle / webcenter_sites	12.2.1.4.0	12.2.1.4.0.x
oracle / webcenter_portal	12.2.1.4.0	12.2.1.4.0.x
oracle / weblogic_server	14.1.1.0.0	14.1.1.0.0.x
oracle / enterprise_manager_base_platform	13.4.0.0	13.4.0.0.x
oracle / communications_ip_service_activator	7.4.0	7.4.0.x
oracle / utilities_framework	4.3.0.1.0	4.3.0.6.0.x
oracle / utilities_framework	4.4.0.2.0	4.4.0.2.0.x
oracle / insurance_insbridge_rating_and_underwriting	5.6.1.0	5.6.1.0.x
oracle / enterprise_manager_ops_center	12.4.0.0	12.4.0.0.x
oracle / jdeveloper	12.2.1.4.0	12.2.1.4.0.x
oracle / enterprise_manager_for_peoplesoft	13.4.1.1	13.4.1.1.x
oracle / communications_services_gatekeeper	7.0	7.0.x
oracle / retail_merchandising_system	16.0.3	16.0.3.x
oracle / banking_platform	2.7.1	2.7.1.x
oracle / communications_evolved_communications_application_server	7.1	7.1.x
oracle / agile_engineering_data_management	6.2.1.0	6.2.1.0.x
oracle / data_integrator	12.2.1.4.0	12.2.1.4.0.x
oracle / retail_service_backbone	14.1.3	14.1.3.x
oracle / primavera_unifier	20.12	20.12.x
oracle / managed_file_transfer	12.2.1.4.0	12.2.1.4.0.x
oracle / communications_network_integrity	7.3.6	7.3.6.x
oracle / retail_order_broker	18.0	18.0.x
oracle / communications_interactive_session_recorder	6.3	6.3.x
oracle / communications_interactive_session_recorder	6.4	6.4.x
oracle / peoplesoft_enterprise_peopletools	8.59	8.59.x
oracle / communications_unified_inventory_management	7.4.1	7.4.1.x
oracle / retail_service_backbone	15.0.3.1	15.0.3.1.x
oracle / retail_service_backbone	14.1.3.2	14.1.3.2.x
oracle / primavera_gateway	17.12.0	17.12.11.x
oracle / utilities_framework	4.4.0.3.0	4.4.0.3.0.x
oracle / communications_performance_intelligence_center	10.4.0.3	10.4.0.3.x
oracle / retail_price_management	14.1.3.0	14.1.3.0.x
oracle / retail_price_management	15.0.3.0	15.0.3.0.x
oracle / retail_price_management	16.0.3.0	16.0.3.0.x
oracle / retail_order_broker	19.1	19.1.x
oracle / enterprise_manager_base_platform	13.5.0.0	13.5.0.0.x
oracle / primavera_gateway	20.12.0	20.12.7.x
oracle / banking_platform	2.12.0	2.12.0.x
oracle / autovue_for_agile_product_lifecycle_management	21.0.2	21.0.2.x
oracle / communications_cloud_native_core_security_edge_protection_proxy	1.7.0	1.7.0.x
oracle / banking_enterprise_default_management	2.12.0	2.12.0.x
oracle / banking_party_management	2.7.0	2.7.0.x
oracle / communications_messaging_server	8.1	8.1.x
oracle / retail_service_backbone	19.0.1.0	19.0.1.0.x
oracle / retail_merchandising_system	19.0.1	19.0.1.x
oracle / retail_integration_bus	14.1.3.2	14.1.3.2.x
oracle / retail_financial_integration	14.1.3.2	14.1.3.2.x
oracle / retail_eftlink	16.0.3	16.0.3.x
oracle / retail_eftlink	17.0.2	17.0.2.x
oracle / retail_eftlink	18.0.1	18.0.1.x
oracle / retail_eftlink	19.0.1	19.0.1.x
oracle / communications_eagle_ftp_table_base_retrieval	4.5	4.5.x
oracle / retail_integration_bus	15.0.3.1	15.0.3.1.x
oracle / retail_financial_integration	15.0.3.1	15.0.3.1.x
oracle / communications_asap	7.3	7.3.x
oracle / financial_services_model_management_and_governance	8.1.0.0.0	8.1.0.0.0.x
oracle / financial_services_model_management_and_governance	8.0.8.0.0	8.0.8.0.0.x
oracle / financial_services_analytical_applications_infrastructure	8.0.7	8.1.1.x
oracle / communications_convergence	3.0.2.2.0	3.0.2.2.0.x
oracle / primavera_unifier	21.12	21.12.x
oracle / siebel_ui_framework	-	21.12.x
oracle / retail_service_backbone	19.0.0	19.0.0.x
oracle / retail_service_backbone	16.0.1	16.0.3.x
oracle / retail_price_management	13.2	13.2.x
oracle / retail_price_management	14.0.4	14.0.4.x
oracle / retail_predictive_application_server	14.1.3.46	14.1.3.46.x
oracle / retail_predictive_application_server	15.0.3.115	15.0.3.115.x
oracle / retail_predictive_application_server	16.0.3.240	16.0.3.240.x
oracle / retail_order_management_system	19.5	19.5.x
oracle / retail_invoice_matching	15.0.3	15.0.3.x
oracle / retail_invoice_matching	16.0.3	16.0.3.x
oracle / retail_integration_bus	16.0.1	16.0.3.x
oracle / retail_integration_bus	19.0.0	19.0.1.0.x
oracle / retail_eftlink	20.0.1	20.0.1.x
oracle / financial_services_model_management_and_governance	8.1.1.0.0	8.1.1.0.0.x
oracle / primavera_p6_enterprise_project_portfolio_management	21.12.0.0	21.12.0.0.x
oracle / primavera_p6_enterprise_project_portfolio_management	20.12.0.0	20.12.12.0.x
oracle / primavera_p6_enterprise_project_portfolio_management	19.12.0.0	19.12.18.0.x
oracle / primavera_gateway	21.12.0	21.12.0.x
oracle / primavera_gateway	19.12.0	19.12.12.x
oracle / primavera_gateway	18.8.0	18.8.13.x
oracle / communications_diameter_signaling_router	8.3.0.0	8.5.1.0.x
oracle / communications_webrtc_session_controller	7.2.0.0	7.2.0.0.x
oracle / communications_webrtc_session_controller	7.2.1	7.2.1.x
oracle / communications_service_broker	6.2	6.2.x
oracle / communications_unified_inventory_management	7.4.2	7.4.2.x
oracle / banking_loans_servicing	2.12.0	2.12.0.x
oracle / communications_network_charging_and_control	12.0.1.0.0	12.0.4.0.0.x
oracle / communications_network_charging_and_control	6.0.1.0.0	6.0.1.0.0.x
oracle / communications_convergent_charging_controller	6.0.1.0.0	6.0.1.0.0.x
oracle / communications_convergent_charging_controller	12.0.1.0.0	12.0.4.0.0.x
oracle / communications_billing_and_revenue_management	12.0.0.4	12.0.0.4.x
oracle / healthcare_data_repository	8.1.1	8.1.1.x
oracle / healthcare_translational_research	4.1.0	4.1.0.x
oracle / retail_service_backbone	19.0.1	19.0.1.x
oracle / retail_integration_bus	19.0.0	19.0.0.x
oracle / retail_integration_bus	19.0.1	19.0.1.x
oracle / retail_financial_integration	19.0.1	19.0.1.x
oracle / insurance_insbridge_rating_and_underwriting	5.2.0	5.2.0.x
oracle / hospitality_suite8	8.13.0	8.13.0.x
oracle / hospitality_suite8	8.14.0	8.14.0.x
oracle / agile_plm_mcad_connector	3.6	3.6.x
oracle / banking_enterprise_default_management	2.7.1	2.7.1.x
oracle / banking_deposits_and_lines_of_credit_servicing	2.12.0	2.12.0.x
oracle / communications_pricing_design_center	12.0.0.4	12.0.0.4.x
oracle / communications_pricing_design_center	12.0.0.5	12.0.0.5.x
oracle / communications_element_manager	-	9.0
oracle / communications_session_report_manager	-	9.0
oracle / communications_session_route_manager	-	9.0
oracle / identity_management_suite	12.2.1.4.0	12.2.1.4.0.x
oracle / hyperion_data_relationship_management	-	11.2.8.0
oracle / mysql_enterprise_monitor	-	8.0.29.x
oracle / hyperion_infrastructure_technology	-	11.2.8.0
oracle / communications_cloud_native_core_console	1.9.0	1.9.0.x
oracle / communications_cloud_native_core_policy	1.15.0	1.15.0.x
oracle / communications_cloud_native_core_unified_data_repository	1.15.0	1.15.0.x
oracle / communications_cloud_native_core_network_slice_selection_function	1.8.0	1.8.0.x
oracle / communications_cloud_native_core_network_repository_function	1.15.0	1.15.0.x
oracle / communications_cloud_native_core_network_function_cloud_native_environment	1.10.0	1.10.0.x
oracle / communications_cloud_native_core_service_communication_proxy	1.15.0	1.15.0.x
oracle / communications_cloud_native_core_network_repository_function	1.15.1	1.15.1.x
oracle / banking_payments	14.5	14.5.x
oracle / banking_trade_finance	14.5	14.5.x
oracle / banking_treasury_management	14.5	14.5.x
oracle / flexcube_universal_banking	14.5	14.5.x
oracle / retail_customer_insights	15.0.2	15.0.2.x
oracle / retail_customer_insights	16.0.2	16.0.2.x
oracle / communications_billing_and_revenue_management	12.0.0.5	12.0.0.5.x
oracle / hospitality_token_proxy_service	19.2	19.2.x
oracle / health_sciences_information_manager	3.0.1	3.0.4.x
oracle / payment_interface	20.3	20.3.x
oracle / payment_interface	19.1	19.1.x
oracle / retail_eftlink	21.0.0	21.0.0.x
oracle / retail_data_extractor_for_merchandising	16.0.2	16.0.2.x
oracle / retail_data_extractor_for_merchandising	15.0.2	15.0.2.x
oracle / retail_financial_integration	19.0.0	19.0.0.x
oracle / retail_store_inventory_management	14.1.3.5	14.1.3.5.x
oracle / retail_store_inventory_management	14.1.3.14	14.1.3.14.x
oracle / retail_store_inventory_management	15.0.3.3	15.0.3.3.x
oracle / retail_store_inventory_management	15.0.3.8	15.0.3.8.x
oracle / retail_store_inventory_management	16.0.3.7	16.0.3.7.x
oracle / retail_store_inventory_management	14.0.4.13	14.0.4.13.x
oracle / communications_convergence	3.0.3.0	3.0.3.0.x
oracle / sql_developer	-	21.4.2
oracle / communications_user_data_repository	12.4	12.4.x
oracle / communications_eagle_element_management_system	46.6	46.6.x
oracle / management_cloud_engine	1.5.0	1.5.0.x
oracle / identity_manager_connector	9.1.0	9.1.0.x
oracle / flexcube_universal_banking	11.83.3	11.83.3.x
oracle / flexcube_universal_banking	12.1.0	12.4.x
oracle / enterprise_manager_for_peoplesoft	13.5.1.1	13.5.1.1.x
oracle / healthcare_translational_research	4.1.1	4.1.1.x
oracle / healthcare_master_person_index	5.0.1	5.0.1.x
oracle / healthcare_foundation	7.3.0.1	7.3.0.4.x
oracle / health_sciences_inform	6.3.2.1	6.3.2.1.x
oracle / health_sciences_inform	7.0.0.0	7.0.0.0.x
oracle / health_sciences_inform	6.2.1.1	6.2.1.1.x
oracle / health_sciences_empirica_signal	9.2.0.0	9.2.0.0.x
oracle / health_sciences_empirica_signal	9.1.0.6	9.1.0.6.x
oracle / insurance_insbridge_rating_and_underwriting	5.4	5.6.0.0.x
oracle / insurance_data_gateway	1.0.1	1.0.1.x
oracle / hyperion_tax_provision	-	11.2.8.0
oracle / hyperion_profitability_and_cost_management	-	11.2.8.0
oracle / hyperion_planning	-	11.2.8.0
oracle / hyperion_bi+	-	11.2.8.0
oracle / retail_financial_integration	16.0.1	16.0.3.x
oracle / taleo_platform	-	22.1
org.apache.logging.log4j / log4j-core	2.4.0	2.12.3
org.apache.logging.log4j / log4j-core	2.13.0	2.17.0
org.apache.logging.log4j / log4j-core	-	2.3.1

Vulnerability Database

289,599

CVE-2021-45105