Metrics
No CVSS v4.0
Attack Vector Network
Attack Complexity High
Privileges Required None
Scope Unchanged
Confidentiality Impact None
Integrity Impact None
Availability Impact High
User Interaction None
No CVSS v3.0
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial
This CVE is not in the KEV list.
The EPSS score is 0.70431.
Key SSVC decision points have not yet been added.
Affected Vendors & Products
Vendors | Products |
---|---|
Apache |
|
Debian |
|
Netapp |
|
Oracle |
|
Redhat |
|
Sonicwall |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
Configuration 3 [-]
|
Configuration 4 [-]
|
Configuration 5 [-]
AND |
|
Configuration 6 [-]
AND |
|
Configuration 7 [-]
AND |
|
Configuration 8 [-]
AND |
|
Configuration 9 [-]
AND |
|
Configuration 10 [-]
|
Package | CPE | Advisory | Released Date |
---|---|---|---|
EAP 7.4.4 release | |||
log4j-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4 | RHSA-2022:1299 | 2022-04-11T00:00:00Z |
EAP 7.4 log4j async | |||
log4j-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4 | RHSA-2022:0216 | 2022-01-20T00:00:00Z |
OpenShift Logging 5.0 | |||
openshift-logging/elasticsearch6-rhel8:v5.0.11-2 | cpe:/a:redhat:logging:5.0::el8 | RHSA-2022:0047 | 2022-01-10T00:00:00Z |
OpenShift Logging 5.1 | |||
openshift-logging/elasticsearch6-rhel8:v6.8.1-82 | cpe:/a:redhat:logging:5.1::el8 | RHSA-2022:0042 | 2022-01-10T00:00:00Z |
OpenShift Logging 5.2 | |||
openshift-logging/elasticsearch6-rhel8:v6.8.1-83 | cpe:/a:redhat:logging:5.2::el8 | RHSA-2022:0043 | 2022-01-10T00:00:00Z |
OpenShift Logging 5.3 | |||
openshift-logging/elasticsearch6-rhel8:v6.8.1-84 | cpe:/a:redhat:logging:5.3::el8 | RHSA-2022:0044 | 2022-01-10T00:00:00Z |
Red Hat AMQ Streams 1.6.6 | |||
log4j-core | cpe:/a:redhat:amq_streams:1 | RHSA-2022:0219 | 2022-01-20T00:00:00Z |
Red Hat Data Grid 8.2.3 | |||
log4j-core | cpe:/a:redhat:jboss_data_grid:8.2 | RHSA-2022:0205 | 2022-01-20T00:00:00Z |
Red Hat Fuse 7.8.2, 7.9.1, 7.10.1 | |||
log4j-core | cpe:/a:redhat:jboss_fuse:7 | RHSA-2022:0203 | 2022-01-20T00:00:00Z |
Red Hat Integration Camel Extensions for Quarkus 2.2 | |||
log4j-core | cpe:/a:redhat:camel_quarkus:2.2 | RHSA-2022:0222 | 2022-01-20T00:00:00Z |
Red Hat Integration Camel-K 1.6.3 | |||
log4j-core | cpe:/a:redhat:integration:1 | RHSA-2022:0223 | 2022-01-20T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | |||
eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2022:1297 | 2022-04-11T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | |||
eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2022:1296 | 2022-04-11T00:00:00Z |
Red Hat OpenShift Container Platform 4.6 | |||
openshift4/ose-logging-elasticsearch6:v4.6.0-202112201736.p0.gce7f68c.assembly.stream | cpe:/a:redhat:openshift:4.6::el8 | RHSA-2022:0026 | 2022-01-12T00:00:00Z |
Red Hat Single Sign-On 7 | |||
log4j-api | cpe:/a:redhat:red_hat_single_sign_on:7 | RHSA-2022:1469 | 2022-04-20T00:00:00Z |
Red Hat Single Sign-On 7.5 for RHEL 7 | |||
rh-sso7-keycloak-0:15.0.6-1.redhat_00001.1.el7sso | cpe:/a:redhat:red_hat_single_sign_on:7.5::el7 | RHSA-2022:1462 | 2022-04-20T00:00:00Z |
Red Hat Single Sign-On 7.5 for RHEL 8 | |||
rh-sso7-keycloak-0:15.0.6-1.redhat_00001.1.el8sso | cpe:/a:redhat:red_hat_single_sign_on:7.5::el8 | RHSA-2022:1463 | 2022-04-20T00:00:00Z |
Vert.x 4.1.8 | |||
log4j-core | cpe:/a:redhat:openshift_application_runtimes:1.0 | RHSA-2022:0083 | 2022-01-20T00:00:00Z |
No data.
Solution
No solution given by the vendor.
Workaround
Implement one of the following mitigation techniques: * Java 8 (or later) users should upgrade to release 2.17.0. Alternatively, this can be mitigated in configuration: * In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC). * Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate from sources external to the application such as HTTP headers or user input.
Wed, 16 Jul 2025 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
epss
|
epss
|

Status: PUBLISHED
Assigner: apache
Published:
Updated: 2024-08-04T04:39:20.295Z
Reserved: 2021-12-16T00:00:00
Link: CVE-2021-45105

No data.

Status : Modified
Published: 2021-12-18T12:15:07.433
Modified: 2024-11-21T06:31:58.170
Link: CVE-2021-45105


No data.