CVE-2021-45105

Home/CVE/Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursio

CVE

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursio

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

MEDIUM · CVSS 5.9 EPSS 0.74016

Act now

EPSS ≥ 0.50 - high probability of exploitation in the next 30 days
EPSS percentile: top 1% of all CVEs by exploitation likelihood

Sigma rules10 YARA rules0

◆

Threat Actors Linked

actorAquatic Panda

⬡

Weakness Classification

CWE-20Improper Input Validation
CWE-20Improper Input Validation
CWE-674Uncontrolled Recursion
CWE-674Uncontrolled Recursion

▤

Affected Products & Versions

apache log4j>= 2.0 and < 2.3.1
apache log4j>= 2.4 and < 2.12.3
apache log4j>= 2.13.0 and <= 2.16.0
netapp cloud managerall versions
debian linuxall versions
sonicwall email security<= 10.0.12
sonicwall network security manager>= 2.0 and < 3.0
sonicwall web application firewall>= 3.0.0 and < 3.1.0
Show all 51 affected productssonicwall 6bk1602-0aa12-0tp0 firmware< 2.7.0
sonicwall 6bk1602-0aa22-0tp0 firmware< 2.7.0
sonicwall 6bk1602-0aa32-0tp0 firmware< 2.7.0
sonicwall 6bk1602-0aa42-0tp0 firmware< 2.7.0
sonicwall 6bk1602-0aa52-0tp0 firmware< 2.7.0
oracle agile engineering data managementall versions
oracle agile plmall versions
oracle agile plm mcad connectorall versions
oracle autovue for agile product lifecycle managementall versions
oracle banking deposits and lines of credit servicingall versions
oracle banking enterprise default managementall versions
oracle banking loans servicingall versions
oracle banking party managementall versions
oracle banking paymentsall versions
oracle banking platformall versions
oracle banking trade financeall versions
oracle banking treasury managementall versions
oracle business intelligenceall versions
oracle communications asapall versions
oracle communications billing and revenue managementall versions
oracle communications cloud native core consoleall versions
oracle communications cloud native core network function cloud native environmentall versions
oracle communications cloud native core network repository functionall versions
oracle communications cloud native core network slice selection functionall versions
oracle communications cloud native core policyall versions
oracle communications cloud native core security edge protection proxyall versions
oracle communications cloud native core service communication proxyall versions
oracle communications cloud native core unified data repositoryall versions
oracle communications convergenceall versions
oracle communications convergent charging controller>= 12.0.1.0.0 and <= 12.0.4.0.0
oracle communications convergent charging controllerall versions
oracle communications diameter signaling router>= 8.3.0.0 and <= 8.5.1.0
oracle communications eagle element management systemall versions
oracle communications eagle ftp table base retrievalall versions
oracle communications element manager< 9.0
oracle communications evolved communications application serverall versions
oracle communications interactive session recorderall versions
oracle communications ip service activatorall versions
oracle communications messaging serverall versions
oracle communications network charging and control>= 12.0.1.0.0 and <= 12.0.4.0.0
oracle communications network charging and controlall versions
oracle communications network integrityall versions
oracle communications performance intelligence centerall versions

▤

Affected Packages

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

Maven org.apache.logging.log4j:log4j-core HIGH fixed in 2.12.3

Maven org.ops4j.pax.logging:pax-logging-log4j2 HIGH fixed in 1.9.2

◈

Detection Rules (IDS/IPS)

et-openET EXPLOIT Possible Apache log4j Uncontrolled Recursion Lookup (CVE-2021-45105)attempted-admin

snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user

Show all 39 detection rulessnort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communityINDICATOR-COMPROMISE JNDI LDAP searchResEntry dynamic code download attempttrojan-activity
snort-communityPOLICY-OTHER Java User-Agent remote class download attemptpolicy-violation
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user

Open rulesets (ET Open, Snort Community, abuse.ch) link to source. Commercial rulesets are reference-only.

◈

Sigma Hunt Rules

Exact rules name this CVE ID. Product rules name an affected product in their title. Related rules cover techniques used by actors who exploited this CVE. Showing the most relevant matches; the complete related set is on the full drill-down.

relatedcriticalAntivirus Password Dumper Detection

relatedcriticalHacktool Execution - Imphash

relatedcriticalHackTool - Rubeus Execution

relatedcriticalPotential Credential Dumping Via LSASS Process Clone

relatedcriticalWCE wceaux.dll Access

relatedcriticalHackTool - Dumpert Process Dumper Default File

Show all 10 top matches

relatedcriticalHackTool - Credential Dumping Tools Named Pipe Created

relatedcriticalHackTool - Inveigh Execution

relatedcriticalHackTool - SafetyKatz Execution

relatedcriticalHackTool - Dumpert Process Dumper Execution

▣

Scoring & Timeline

5.9

MEDIUM · CVSS v3.1 · security@apache.org

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD18 Dec 2021 · 12:15 PM

CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

⚑

Vendor Advisories

suse-csafopenSUSE-SU-2024:11691-1
rhsaRHSA-2022:1299Moderate
rhsaRHSA-2022:1297Moderate
rhsaRHSA-2022:1296Moderate
usnUSN-5222-1
Show all 30 vendor advisoriesrhsaRHSA-2022:0205Moderate
rhsaRHSA-2022:0216Moderate
rhsaRHSA-2022:0203Moderate
rhsaRHSA-2022:0223Moderate
rhsaRHSA-2022:0222Moderate
rhsaRHSA-2022:0083Moderate
suse-csafopenSUSE-SU-2021:1605-1
siemens-csafSSA-479842
suse-csafopenSUSE-SU-2021:4118-1
usnUSN-5203-1
siemens-csafSSA-501673
rhsaRHSA-2022:0219Moderate
rhsaRHSA-2022:1469Moderate
rhsaRHSA-2022:0026Moderate
rhsaRHSA-2022:0047Moderate
rhsaRHSA-2022:0044Moderate
rhsaRHSA-2022:1463Moderate
rhsaRHSA-2022:0043Moderate
rhsaRHSA-2022:1462Moderate
rhsaRHSA-2022:0042Moderate
siemens-csafSSA-661247
cisco-csafcisco-sa-apache-log4j-qRuKNEbd
oracle-cpuoracle-cpu-Instantis-EnterpriseTrack-10563--CVE-2021-45105
vmware-vmsavmware-vmsa-security-advisories-vmsa-2021-0028-README
owasp-crsowasp-crs-rules-REQUEST-944-APPLICATION-ATTACK-JAVA.conf

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://www.openwall.com/lists/oss-security/2021/12/19/1Mailing ListMitigationThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdfThird Party Advisory

https://logging.apache.org/log4j/2.x/security.htmlRelease NotesVendor Advisory

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032Third Party Advisory

https://security.netapp.com/advisory/ntap-20211218-0001/Third Party Advisory

Show all 13 references

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdThird Party Advisory

https://www.debian.org/security/2021/dsa-5024Third Party Advisory

https://www.kb.cert.org/vuls/id/930724Third Party AdvisoryUS Government Resource

https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory

https://www.zerodayinitiative.com/advisories/ZDI-21-1541/Third Party AdvisoryVDB Entry

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin