CVE-2021-45105

critical-risk

Published 2021-12-18

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Do I need to act?

70.4% chance of exploitation in next 30 days

EPSS score — higher than 30% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (20)

Log4J

Cloud Manager

Debian Linux

Email Security

Network Security Manager

Web Application Firewall

6Bk1602-0Aa12-0Tp0 Firmware

6Bk1602-0Aa22-0Tp0 Firmware

6Bk1602-0Aa32-0Tp0 Firmware

6Bk1602-0Aa42-0Tp0 Firmware

6Bk1602-0Aa52-0Tp0 Firmware

Agile Engineering Data Management

Agile Plm

Agile Plm Mcad Connector

Autovue For Agile Product Lifecycle Management

Banking Deposits And Lines Of Credit Servicing

Banking Enterprise Default Management

Affected Vendors

Debian Apache Oracle Sonicwall Netapp

References (26)

Mailing List http://www.openwall.com/lists/oss-security/2021/12/19/1

Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf

Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf

Release Notes https://logging.apache.org/log4j/2.x/security.html

Third Party Advisory https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032

Third Party Advisory https://security.netapp.com/advisory/ntap-20211218-0001/

Third Party Advisory https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-a...

Third Party Advisory https://www.debian.org/security/2021/dsa-5024

Third Party Advisory https://www.kb.cert.org/vuls/id/930724

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpujan2022.html

Third Party Advisory https://www.oracle.com/security-alerts/cpujul2022.html

Third Party Advisory https://www.zerodayinitiative.com/advisories/ZDI-21-1541/

Mailing List http://www.openwall.com/lists/oss-security/2021/12/19/1

Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf

Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf

Release Notes https://logging.apache.org/log4j/2.x/security.html

Third Party Advisory https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032

Third Party Advisory https://security.netapp.com/advisory/ntap-20211218-0001/

Third Party Advisory https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-a...

and 6 more references

/ 100

critical-risk

Severity 18/34 · Moderate

Exploitability 19/34 · Moderate

Exposure 33/34 · Critical