CVE-2021-45105 – APACHE LOG4J UP TO 2.12.2/2.16.0 LOOKUP INFINITE LOOP

0
730

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.


A vulnerability was found in Apache Log4j up to 2.12.2/2.16.0. It has been classified as problematic. This affects an unknown part of the component Lookup Handler. The manipulation with an unknown input leads to a denial of service vulnerability. CWE is classifying the issue as CWE-835. This is going to have an impact on availability.

The weakness was shared 12/18/2021. The advisory is shared at logging.apache.org. This vulnerability is uniquely identified as CVE-2021-45105 since 12/16/2021. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details are unknown but a public exploit is available. MITRE ATT&CK project uses the attack technique T1499 for this issue.

It is declared as proof-of-concept. The exploit is shared for download at logging.apache.org.

Upgrading to version 2.12.3 or 2.17.0 eliminates this vulnerability. The upgrade is hosted for download at logging.apache.org.