Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
Fixes

Solution

No solution given by the vendor.


Workaround

Implement one of the following mitigation techniques: * Java 8 (or later) users should upgrade to release 2.17.0. Alternatively, this can be mitigated in configuration: * In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC). * Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate from sources external to the application such as HTTP headers or user input.

History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.65452}

epss

{'score': 0.66522}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-08-04T04:39:20.295Z

Reserved: 2021-12-16T00:00:00

Link: CVE-2021-45105

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-12-18T12:15:07.433

Modified: 2024-11-21T06:31:58.170

Link: CVE-2021-45105

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-12-18T00:00:00Z

Links: CVE-2021-45105 - Bugzilla

cve-icon OpenCVE Enrichment

No data.