critical
9.8
CWE
20 674
Advisory Published
CVE Published
CVE Published
Advisory Published
Updated

CVE-2021-45105: Apache Log4j StrSubstitutor Uncontrolled Recursion Denial-of-Service Vulnerability

First published: Sun Dec 12 2021(Updated: )

A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.

Credit: security@apache.org security@apache.org

Affected SoftwareAffected VersionHow to fix
redhat/eap7-log4j<0:2.17.1-1.redhat_00001.1.el8ea
0:2.17.1-1.redhat_00001.1.el8ea
redhat/eap7-log4j<0:2.17.1-1.redhat_00001.1.el7ea
0:2.17.1-1.redhat_00001.1.el7ea
redhat/rh-sso7-keycloak<0:15.0.6-1.redhat_00001.1.el7
0:15.0.6-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:15.0.6-1.redhat_00001.1.el8
0:15.0.6-1.redhat_00001.1.el8
debian/apache-log4j2
2.17.1-1~deb10u1
2.17.0-1~deb10u1
2.17.1-1~deb11u1
2.17.0-1~deb11u1
2.19.0-2
debian/apache-log4j2<=2.16.0-1~deb10u1<=2.16.0-1<=2.16.0-1~deb11u1
2.17.0-1
2.17.0-1~deb11u1
2.17.0-1~deb10u1
redhat/log4j<2.17.0
2.17.0
redhat/log4j<2.12.3
2.12.3
redhat/log4j<2.3.1
2.3.1
Apache Log4j
Apache Log4j>=2.0<2.3.1
Apache Log4j>=2.4<2.12.3
Apache Log4j>=2.13.0<=2.16.0
Cloud Manager
Debian=10.0
Debian=11.0
SonicWall Email Security<=10.0.12
SonicWall Network Security Manager>=2.0<3.0
SonicWall Network Security Manager>=2.0<3.0
SonicWall Web Application Firewall>=3.0.0<3.1.0
All of
sonicwall 6bk1602-0aa12-0tp0<2.7.0
SonicWall 6BK1602-0AA12-0TP0 Firmware
All of
SonicWall Firmware 6bk1602-0aa22-0tp0<2.7.0
SonicWall Firmware 6bk1602-0aa22-0tp0
All of
SonicWall 6BK1602-0AA32-0TP0<2.7.0
SonicWall 6BK1602-0AA32-0TP0 Firmware
All of
SonicWall 6BK1602-0AA42-0TP0<2.7.0
SonicWall 6bk1602-0aa42-0tp0 Firmware
All of
SonicWall 6bk1602-0aa52-0tp0<2.7.0
SonicWall 6bk1602-0aa52-0tp0 Firmware
Oracle Agile Engineering Data Management=6.2.1.0
Oracle Agile PLM=9.3.6
Oracle Agile PLM MCAD Connector=3.6
Oracle AutoVue for Agile Product Lifecycle Management=21.0.2
Oracle Banking Deposits and Lines of Credit Servicing=2.12.0
oracle banking enterprise default management=2.7.1
oracle banking enterprise default management=2.12.0
Oracle Banking Loans Servicing=2.12.0
Oracle Banking Party Management=2.7.0
Oracle Banking Payments=14.5
oracle banking platform=2.6.2
oracle banking platform=2.7.1
oracle banking platform=2.12.0
Oracle Banking Trade Finance Process Management=14.5
Oracle Banking Treasury Management=14.5
Oracle Business Intelligence Enterprise Edition=5.5.0.0.0
Oracle Communications ASAP=7.3
Oracle Communications Billing and Revenue Management=12.0.0.4
Oracle Communications Billing and Revenue Management=12.0.0.5
oracle communications cloud native core console=1.9.0
oracle communications cloud native core network function cloud native environment=1.10.0
Oracle Communications Cloud Native Core Network Repository Function=1.15.0
Oracle Communications Cloud Native Core Network Repository Function=1.15.1
Oracle Communications Cloud Native Core Network Slice Selection Function=1.8.0
oracle communications Cloud native core policy=1.15.0
Oracle Communications Cloud Native Core Network Repository Function=1.7.0
Oracle Communications Cloud Native Core Service Communication Proxy=1.15.0
Oracle Communications Cloud Native Core Unified Data Repository=1.15.0
Oracle Communications Convergence=3.0.2.2.0
Oracle Communications Convergence=3.0.3.0
oracle communications convergent charging controller>=12.0.1.0.0<=12.0.4.0.0
oracle communications convergent charging controller=6.0.1.0.0
Oracle Communications Diameter Signaling Router>=8.3.0.0<=8.5.1.0
Oracle Communications Eagle=46.6
Oracle Communications Eagle FTP Table Base Retrieval=4.5
oracle communications element manager<9.0
oracle communications evolved communications application server=7.1
Oracle Communications Interactive Session Recorder=6.3
Oracle Communications Interactive Session Recorder=6.4
Oracle Communications IP Service Activator=7.4.0
Sun iPlanet Messaging Server=8.1
oracle communications network charging and control>=12.0.1.0.0<=12.0.4.0.0
oracle communications network charging and control=6.0.1.0.0
Oracle Communications Network Integrity=7.3.6
Oracle Communications Performance Intelligence Center=10.4.0.3
Oracle Communications Pricing Design Center=12.0.0.4
Oracle Communications Pricing Design Center=12.0.0.5
Oracle Communications Service Broker=6.2
Oracle Communications Services Gatekeeper=7.0
oracle communications session report manager<9.0
oracle communications session route manager<9.0
Oracle Communications Unified Inventory Management=7.3.5
Oracle Communications Unified Inventory Management=7.4.1
Oracle Communications Unified Inventory Management=7.4.2
Oracle Communications User Data Repository=12.4
Oracle WebRTC Session Controller=7.2.0.0
Oracle WebRTC Session Controller=7.2.1
Oracle Data Integrator=12.2.1.3.0
Oracle Data Integrator=12.2.1.4.0
Oracle E-Business Suite=12.2
Oracle Enterprise Manager Base Platform=13.4.0.0
Oracle Enterprise Manager Base Platform=13.5.0.0
Oracle Enterprise Manager for PeopleSoft=13.4.1.1
Oracle Enterprise Manager for PeopleSoft=13.5.1.1
Oracle Enterprise Manager Ops Center=12.4.0.0
Oracle Financial Services Analytical Applications Infrastructure>=8.0.7<=8.1.1
Oracle Financial Services Model Management and Governance=8.0.8.0.0
Oracle Financial Services Model Management and Governance=8.1.0.0.0
Oracle Financial Services Model Management and Governance=8.1.1.0.0
Oracle FLEXCUBE Universal Banking>=12.1.0<=12.4
Oracle FLEXCUBE Universal Banking>=14.0.0<=14.3.0
Oracle FLEXCUBE Universal Banking=11.83.3
Oracle FLEXCUBE Universal Banking=14.5
Oracle Health Sciences Empirica Signal=9.1.0.6
Oracle Health Sciences Empirica Signal=9.2.0.0
Oracle Health Sciences InForm=6.2.1.1
Oracle Health Sciences InForm=6.3.2.1
Oracle Health Sciences InForm=7.0.0.0
Oracle Health Sciences Information Manager>=3.0.1<=3.0.4
Oracle Healthcare Data Repository=8.1.1
Oracle Healthcare Foundation>=7.3.0.1<=7.3.0.4
Oracle Healthcare Master Person Index=5.0.1
Oracle Healthcare Translational Research=4.1.0
Oracle Healthcare Translational Research=4.1.1
Oracle Hospitality Suite8=8.13.0
Oracle Hospitality Suite8=8.14.0
Oracle Hospitality Token Proxy Service=19.2
Oracle Hyperion BI+<11.2.8.0
Oracle Hyperion Data Relationship Management<11.2.8.0
oracle hyperion infrastructure technology<11.2.8.0
Oracle Hyperion Planning<11.2.8.0
Oracle Hyperion Profitability and Cost Management<11.2.8.0
Oracle Hyperion Tax Provision<11.2.8.0
Oracle Identity Management Suite=12.2.1.3.0
Oracle Identity Management Suite=12.2.1.4.0
Oracle Identity Manager Connector=9.1.0
oracle instantis enterprisetrack=17.1
oracle instantis enterprisetrack=17.2
oracle instantis enterprisetrack=17.3
Oracle Insurance Data Gateway=1.0.1
Oracle Insurance Insbridge Rating and Underwriting>=5.4<=5.6.0.0
Oracle Insurance Insbridge Rating and Underwriting=5.2.0
Oracle Insurance Insbridge Rating and Underwriting=5.6.1.0
Oracle JDeveloper=12.2.1.4.0
Oracle Managed File Transfer=12.2.1.3.0
Oracle Managed File Transfer=12.2.1.4.0
Oracle Management Cloud Engine=1.5.0
MySQL Enterprise Monitor<=8.0.29
Oracle Payment Interface=19.1
Oracle Payment Interface=20.3
Oracle PeopleSoft Enterprise PeopleTools=8.58
Oracle PeopleSoft Enterprise PeopleTools=8.59
oracle primavera gateway>=17.12.0<=17.12.11
oracle primavera gateway>=18.8.0<=18.8.13
oracle primavera gateway>=19.12.0<=19.12.12
oracle primavera gateway>=20.12.0<=20.12.7
oracle primavera gateway=21.12.0
Oracle Primavera P6 Enterprise Project Portfolio Management>=19.12.0.0<=19.12.18.0
Oracle Primavera P6 Enterprise Project Portfolio Management>=20.12.0.0<=20.12.12.0
Oracle Primavera P6 Enterprise Project Portfolio Management=21.12.0.0
Oracle Primavera Unifier=18.8
Oracle Primavera Unifier=19.12
Oracle Primavera Unifier=20.12
Oracle Primavera Unifier=21.12
Oracle Retail Back Office=14.1
Oracle Retail Central Office=14.1
Oracle Retail Customer Insights=15.0.2
Oracle Retail Customer Insights=16.0.2
Oracle Retail Data Extractor For Merchandising=15.0.2
Oracle Retail Data Extractor For Merchandising=16.0.2
Oracle Retail EFTLink=16.0.3
Oracle Retail EFTLink=17.0.2
Oracle Retail EFTLink=18.0.1
Oracle Retail EFTLink=19.0.1
Oracle Retail EFTLink=20.0.1
Oracle Retail EFTLink=21.0.0
oracle retail financial integration>=16.0.1<=16.0.3
oracle retail financial integration=14.1.3.2
oracle retail financial integration=15.0.3.1
oracle retail financial integration=19.0.0
oracle retail financial integration=19.0.1
Oracle Retail Integration Bus>=16.0.1<=16.0.3
Oracle Retail Integration Bus>=19.0.0<=19.0.1.0
Oracle Retail Integration Bus=14.1.3
Oracle Retail Integration Bus=14.1.3.2
Oracle Retail Integration Bus=15.0.3.1
Oracle Retail Integration Bus=19.0.0
Oracle Retail Integration Bus=19.0.1
Oracle Retail Invoice Matching=15.0.3
Oracle Retail Invoice Matching=16.0.3
Oracle Retail Merchandising System=16.0.3
Oracle Retail Merchandising System=19.0.1
Oracle Retail Order Broker=16.0
Oracle Retail Order Broker=18.0
Oracle Retail Order Broker=19.1
Oracle Retail Order Management System=19.5
Oracle Retail Point-of-Sale=14.1
Oracle Retail Predictive Application Server=14.1.3.46
Oracle Retail Predictive Application Server=15.0.3.115
Oracle Retail Predictive Application Server=16.0.3.240
Oracle Retail Pricing=13.2
Oracle Retail Pricing=14.0.4
Oracle Retail Pricing=14.1.3.0
Oracle Retail Pricing=15.0.3.0
Oracle Retail Pricing=16.0.3.0
Oracle Retail Returns Management=14.1
Oracle Retail Service Backbone>=16.0.1<=16.0.3
Oracle Retail Service Backbone=14.1.3
Oracle Retail Service Backbone=14.1.3.2
Oracle Retail Service Backbone=15.0.3.1
Oracle Retail Service Backbone=19.0.0
Oracle Retail Service Backbone=19.0.1
Oracle Retail Service Backbone=19.0.1.0
Oracle Retail Store Inventory Management=14.0.4.13
Oracle Retail Store Inventory Management=14.1.3.5
Oracle Retail Store Inventory Management=14.1.3.14
Oracle Retail Store Inventory Management=15.0.3.3
Oracle Retail Store Inventory Management=15.0.3.8
Oracle Retail Store Inventory Management=16.0.3.7
Oracle Siebel User Interface Framework<=21.12
Oracle SQL Developer<21.4.2
Oracle Taleo Platform<22.1
Oracle Utilities Framework>=4.3.0.1.0<=4.3.0.6.0
Oracle Utilities Framework=4.4.0.0.0
Oracle Utilities Framework=4.4.0.2.0
Oracle Utilities Framework=4.4.0.3.0
Oracle WebCenter Portal=12.2.1.3.0
Oracle WebCenter Portal=12.2.1.4.0
Oracle WebCenter Sites=12.2.1.3.0
Oracle WebCenter Sites=12.2.1.4.0
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
Oracle WebLogic Server=14.1.1.0.0
sonicwall 6bk1602-0aa12-0tp0<2.7.0
SonicWall 6BK1602-0AA12-0TP0 Firmware
SonicWall Firmware 6bk1602-0aa22-0tp0<2.7.0
SonicWall Firmware 6bk1602-0aa22-0tp0
SonicWall 6BK1602-0AA32-0TP0<2.7.0
SonicWall 6BK1602-0AA32-0TP0 Firmware
SonicWall 6BK1602-0AA42-0TP0<2.7.0
SonicWall 6bk1602-0aa42-0tp0 Firmware
SonicWall 6bk1602-0aa52-0tp0<2.7.0
SonicWall 6bk1602-0aa52-0tp0 Firmware

Remedy

https://www.oracle.com/security-alerts/cpuapr2022.html

Remedy

https://www.oracle.com/security-alerts/cpujan2022.html

Remedy

For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by: - In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}. - Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the severity of CVE-2021-45105?

    CVE-2021-45105 is rated as critical due to the potential for remote code execution through malicious crafted input.

  • How do I fix CVE-2021-45105?

    To fix CVE-2021-45105, update the Apache Log4j library to versions 2.17.1 or later.

  • What applications are affected by CVE-2021-45105?

    CVE-2021-45105 affects various applications utilizing vulnerable versions of the Apache Log4j 2.x logging library.

  • Can CVE-2021-45105 lead to data compromise?

    Yes, the exploitation of CVE-2021-45105 can allow attackers to execute arbitrary code, potentially leading to data compromise.

  • Is there a workaround for CVE-2021-45105?

    If immediate updating is not possible, consider disabling the logging configuration using a non-default Pattern Layout with context lookups.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203