Description
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- Apache Software Foundation / Apache Log4j2log4j-core – 2.17.0
References
- MISChttps://logging.apache.org/log4j/2.x/security.html
- VENDOR_ADVISORYhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
- MISChttps://www.kb.cert.org/vuls/id/930724
- VENDOR_ADVISORYhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- MAILING_LISThttp://www.openwall.com/lists/oss-security/2021/12/19/1
- VENDOR_ADVISORYhttps://www.debian.org/security/2021/dsa-5024
- MISChttps://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
- MISChttps://security.netapp.com/advisory/ntap-20211218-0001/
- VENDOR_ADVISORYhttps://www.zerodayinitiative.com/advisories/ZDI-21-1541/
- MISChttps://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf
- VENDOR_ADVISORYhttps://www.oracle.com/security-alerts/cpujan2022.html
- VENDOR_ADVISORYhttps://www.oracle.com/security-alerts/cpuapr2022.html
- VENDOR_ADVISORYhttps://www.oracle.com/security-alerts/cpujul2022.html