Apache Log4j2 does not always protect from infinite recursion in lookup evaluation

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2021-45105
StatePUBLISHED
Assignerapache
Source PriorityCVE Program / NVD first with legacy fallback
Published2021-12-18 12:15:07 UTC
Updated2026-05-29 13:16:19 UTC
DescriptionApache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Risk And Classification

Primary CVSS: v3.1 5.9 MEDIUM from [email protected]

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-20 | CWE-674 | CWE-20 CWE-20 Improper Input Validation | CWE-674 CWE-674: Uncontrolled Recursion

VersionSourceTypeScoreSeverityVector
3.1[email protected]Primary5.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
3.1ADPDECLARED5.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
3.1134c704f-9b21-4f2e-91b3-4a467353bcc0Secondary5.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
2.0[email protected]Primary4.3AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS v3.1 Breakdown

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2.0 Breakdown

Access Vector
Network
Access Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Apache Log4j All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Apache Software Foundation Apache Log4j2 affected log4j-core 2.17.0 custom Not specified

References

ReferenceSourceLinkTags
Oracle Critical Patch Update Advisory - April 2022 af854a3a-2127-422b-91ae-364da2661108 www.oracle.com Patch, Third Party Advisory
cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf af854a3a-2127-422b-91ae-364da2661108 cert-portal.siemens.com Third Party Advisory
Log4j – Apache Log4j Security Vulnerabilities af854a3a-2127-422b-91ae-364da2661108 logging.apache.org Release Notes, Vendor Advisory
ZDI-21-1541 | Zero Day Initiative af854a3a-2127-422b-91ae-364da2661108 www.zerodayinitiative.com Third Party Advisory, VDB Entry
VU#930724 - Apache Log4j allows insecure JNDI lookups af854a3a-2127-422b-91ae-364da2661108 www.kb.cert.org Third Party Advisory, US Government Resource
Oracle Critical Patch Update Advisory - January 2022 af854a3a-2127-422b-91ae-364da2661108 www.oracle.com Patch, Third Party Advisory
Oracle Critical Patch Update Advisory - July 2022 af854a3a-2127-422b-91ae-364da2661108 www.oracle.com Third Party Advisory
CVE-2021-45105 Apache Log4j Vulnerability in NetApp Products | NetApp Product Security af854a3a-2127-422b-91ae-364da2661108 security.netapp.com Third Party Advisory
cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf af854a3a-2127-422b-91ae-364da2661108 cert-portal.siemens.com Third Party Advisory
oss-security - CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation af854a3a-2127-422b-91ae-364da2661108 www.openwall.com Mailing List, Mitigation, Third Party Advisory
Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021 af854a3a-2127-422b-91ae-364da2661108 tools.cisco.com Third Party Advisory
Security Advisory af854a3a-2127-422b-91ae-364da2661108 psirt.global.sonicwall.com Third Party Advisory
Debian -- Security Information -- DSA-5024-1 apache-log4j2 af854a3a-2127-422b-91ae-364da2661108 www.debian.org Third Party Advisory
[SECURITY] Fedora 34 Update: log4j-2.17.0-1.fc34 - package-announce - Fedora Mailing-Lists MITRE lists.fedoraproject.org
[SECURITY] Fedora 35 Update: log4j-2.17.0-1.fc35 - package-announce - Fedora Mailing-Lists MITRE lists.fedoraproject.org
[SECURITY] [DLA 2852-1] apache-log4j2 security update MITRE lists.debian.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro’s Zero Day Initiative, and another anonymous vulnerability researcher (en)

Additional Advisory Data

Workarounds

CNA: Implement one of the following mitigation techniques: * Java 8 (or later) users should upgrade to release 2.17.0. Alternatively, this can be mitigated in configuration: * In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC). * Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate from sources external to the application such as HTTP headers or user input.

Legacy QID Mappings

  • 178945 Debian Security Update for apache-log4j2 (DSA 5024-1)
  • 178956 Debian Security Update for apache-log4j2 (DLA 2852-1)
  • 182425 Debian Security Update for apache-log4j2 (CVE-2021-45105)
  • 198613 Ubuntu Security Notification for Apache Log4j 2 Vulnerability (USN-5203-1)
  • 198626 Ubuntu Security Notification for Apache Log4j 2 Vulnerabilities (USN-5222-1)
  • 20240 Oracle Database 19c Critical Patch Update - January 2022
  • 20241 Oracle Database 12.2.0.1 Critical Patch Update - January 2022
  • 20242 Oracle Database 12.2.0.1 Critical Patch Update - January 2022 (Unauthenticated)
  • 20252 IBM DB2 Security Update for Log4j (6528672,6549888)
  • 20289 Oracle Database 19c Critical OJVM Patch Update - January 2022
  • 20314 Oracle Database 12.2.0.1 Critical OJVM Patch Update - January 2022
  • 240209 Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1296)
  • 240210 Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1297)
  • 282198 Fedora Security Update for log4j (FEDORA-2021-5c9d12a93e) (Log4Shell)
  • 282200 Fedora Security Update for log4j (FEDORA-2021-abbe24e41c) (Log4Shell)
  • 317120 Cisco Unified Communications Manager (CUCM) Apache Log4j Vulnerability (cisco-sa-apache-log4j-qRuKNEbd)
  • 317121 Cisco Unified Communications Manager IM and Presence Service (formerly CUPS) Apache Log4j Vulnerability (cisco-sa-apache-log4j-qRuKNEbd)
  • 317123 Cisco UCS Central Software Apache Log4j Vulnerability (cisco-sa-apache-log4j-qRuKNEbd)
  • 353090 Amazon Linux Security Advisory for aws-kinesis-agent : ALAS2-2021-1733
  • 354369 Amazon Linux Security Advisory for log4j : ALAS2022-2022-225
  • 354516 Amazon Linux Security Advisory for log4j : ALAS2022-2021-008
  • 354538 Amazon Linux Security Advisory for log4j : ALAS-2022-225
  • 376192 Elasticsearch Logstash Log4j Remote Code Execution (RCE) Vulnerability
  • 376194 Apache Log4j Denial of Service (DOS) Vulnerability (Log4Shell)
  • 376195 Apache Log4j Denial of Service (DOS) Vulnerability (Log4Shell) Detected Based on Qualys Log4j scan Utility
  • 376230 Dell EMC NetWorker Apache Log4j multiple Remote Code Execution (RCE) Vulnerabilities (DSA-2021-280)
  • 376231 Dell EMC NetWorker Server Apache Log4j multiple Remote Code Execution (RCE) Vulnerabilities (DSA-2021-280)
  • 376425 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (Log4Shell) (Doc_ID_2817011.1)
  • 376477 Autonomous Health Framework (AHF) Multiple Vulnerabilities (Log4Shell) (Doc ID 2828415.1)
  • 690756 Free Berkeley Software Distribution (FreeBSD) Security Update for opensearch (d1be3d73-6737-11ec-9eea-589cfc007716)
  • 730318 Palo Alto Networks (PAN-OS) Log4j Multiple Vulnerabilities (PAN-184592) (Log4Shell)
  • 730329 Dell EMC NetWorker Virtual Edition Multiple Apache Log4j Remote Code Execution (RCE) Vulnerabilities (DSA-2021-280)
  • 730331 Dell EMC NetWorker Virtual Edition multiple Apache Log4j Remote Code Execution (RCE) Vulnerabilities (DSA-2021-280)
  • 730362 Neo4j Database Server Affected by Apache Log4j Security Vulnerability
  • 730367 Dell EMC SRM Remote Code Execution (RCE) Vulnerability (DSA-2021-301)
  • 730371 McAfee Web Gateway Multiple Vulnerabilities (WP-3335,WP-4131,WP-4159,WP-4237,WP-4259,WP-4329,WP-4348,WP-4355,WP-4376,WP-4407,WP-4421)
  • 751534 OpenSUSE Security Update for log4j (openSUSE-SU-2021:4118-1)
  • 751546 OpenSUSE Security Update for log4j (openSUSE-SU-2021:1605-1)
  • 87473 Cisco Nexus Dashboard Fabric Controller (Formerly DCNM) Apache Log4j Vulnerability (cisco-sa-apache-log4j-qRuKNEbd)
  • 87482 Oracle WebLogic Server Multiple Vulnerabilities (Log4Shell) (Doc_ID_2828556.1)
  • 87483 Oracle WebLogic Server Multiple Vulnerabilities (Log4Shell) (Doc_ID_2817011.1)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report