PT-2021-5478 · Apache+5 · Apache Log4J2+6

Hideki Okamoto

Published

2021-12-18

Updated

2025-09-22

CVE-2021-45105

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1)

Description The issue allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted, due to uncontrolled recursion from self-referential lookups. This can lead to a denial of service. The problem is related to insufficient input validation in the logging library.

Recommendations For Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1), update to Log4j 2.17.0, 2.12.3, or 2.3.1 to resolve the issue. As a temporary workaround, consider restricting access to the org.apache.logging.log4j:log4j-core package to minimize the risk of exploitation. Ensure the org.apache.logging.log4j:log4j-api package is kept at the same version as the org.apache.logging.log4j:log4j-core package to ensure compatibility if in use.

Exploit

Fix

DoS

RCE

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-674

Related Identifiers

ALT-PU-2022-7659

BDU:2021-06325

CVE-2021-45105

DLA-2852-1

DSA-5024-1

GHSA-P6XC-XR62-6R2G

MGASA-2021-0572

OESA-2021-1474

OESA-2022-1956

OESA-2022-1957

OPENSUSE-SU-2021:1605-1

OPENSUSE-SU-2021:4118-1

OPENSUSE-SU-2021_1605-1

OPENSUSE-SU-2021_4118-1

OPENSUSE-SU-2024:11691-1

RHSA-2022:1296

RHSA-2022:1297

RHSA-2022:1462

RHSA-2022:1463

USN-5203-1

USN-5222-1

ZDI-21-1541

Affected Products

Apache Log4J2

Apache Struts

Astra Linux

Linuxmint

Red Os

Suse

Ubuntu

PT-2021-5478 · Apache+5 · Apache Log4J2+6

CVE-2021-45105

Weakness Enumeration

Related Identifiers

Affected Products

References · 120