CVE-2021-45105
Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
In short
Apache Log4j2 versions before 2.17.0 are vulnerable to infinite recursion when processing specially crafted lookup strings in thread context data. An attacker who can control this data can crash the application, causing denial of service.
Technical detail
The vulnerability exists in Log4j2's lookup evaluation mechanism (CWE-674: uncontrolled recursion; CWE-20: improper input validation), where self-referential lookups are not properly restricted. An attacker with write access to Thread Context Map can supply a malicious string that triggers recursive evaluation, exhausting stack memory and terminating the affected process.
Summary generated and translated by AI from the official description.
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
Apache Software Foundation · Apache Log4j2Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdfhttps://logging.apache.org/log4j/2.x/security.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032https://security.netapp.com/advisory/ntap-20211218-0001/https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdhttps://www.debian.org/security/2021/dsa-5024https://www.kb.cert.org/vuls/id/930724https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.zerodayinitiative.com/advisories/ZDI-21-1541/