Security context
High· 8.6GHSA-p6xc-xr62-6r2g CVE-2021-45105CWE-20CWE-674Published Dec 18, 2021

Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

2.4.0 → fixed in 2.12.32.13.0 → fixed in 2.17.00 → fixed in 2.3.11.8.0 → fixed in 1.9.21.10.0 → fixed in 1.10.91.11.0 → fixed in 1.11.122.0.0 → fixed in 2.0.13

Details

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. # Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.

The fix

No fix commit could be resolved for this advisory (it may reference an issue tracker or a non-GitHub patch). See the references below.

References