CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
apachelog4j
2.0 ≤
𝑥
< 2.3.1
apachelog4j
2.4 ≤
𝑥
< 2.12.3
apachelog4j
2.13.0 ≤
𝑥
≤ 2.16.0
netappcloud_manager
-
debiandebian_linux
10.0
debiandebian_linux
11.0
sonicwallemail_security
𝑥
≤ 10.0.12
sonicwallnetwork_security_manager
2.0 ≤
𝑥
< 3.0
sonicwallnetwork_security_manager
2.0 ≤
𝑥
< 3.0
sonicwallweb_application_firewall
3.0.0 ≤
𝑥
< 3.1.0
sonicwall6bk1602-0aa12-0tp0_firmware
𝑥
< 2.7.0
sonicwall6bk1602-0aa22-0tp0_firmware
𝑥
< 2.7.0
sonicwall6bk1602-0aa32-0tp0_firmware
𝑥
< 2.7.0
sonicwall6bk1602-0aa42-0tp0_firmware
𝑥
< 2.7.0
sonicwall6bk1602-0aa52-0tp0_firmware
𝑥
< 2.7.0
oracleagile_engineering_data_management
6.2.1.0
oracleagile_plm
9.3.6
oracleagile_plm_mcad_connector
3.6
oracleautovue_for_agile_product_lifecycle_management
21.0.2
oraclebanking_deposits_and_lines_of_credit_servicing
2.12.0
oraclebanking_enterprise_default_management
2.7.1
oraclebanking_enterprise_default_management
2.12.0
oraclebanking_loans_servicing
2.12.0
oraclebanking_party_management
2.7.0
oraclebanking_payments
14.5
oraclebanking_platform
2.6.2
oraclebanking_platform
2.7.1
oraclebanking_platform
2.12.0
oraclebanking_trade_finance
14.5
oraclebanking_treasury_management
14.5
oraclebusiness_intelligence
5.5.0.0.0
oraclecommunications_asap
7.3
oraclecommunications_billing_and_revenue_management
12.0.0.4
oraclecommunications_billing_and_revenue_management
12.0.0.5
oraclecommunications_cloud_native_core_console
1.9.0
oraclecommunications_cloud_native_core_network_function_cloud_native_environment
1.10.0
oraclecommunications_cloud_native_core_network_repository_function
1.15.0
oraclecommunications_cloud_native_core_network_repository_function
1.15.1
oraclecommunications_cloud_native_core_network_slice_selection_function
1.8.0
oraclecommunications_cloud_native_core_policy
1.15.0
oraclecommunications_cloud_native_core_security_edge_protection_proxy
1.7.0
oraclecommunications_cloud_native_core_service_communication_proxy
1.15.0
oraclecommunications_cloud_native_core_unified_data_repository
1.15.0
oraclecommunications_convergence
3.0.2.2.0
oraclecommunications_convergence
3.0.3.0
oraclecommunications_convergent_charging_controller
12.0.1.0.0 ≤
𝑥
≤ 12.0.4.0.0
oraclecommunications_convergent_charging_controller
6.0.1.0.0
oraclecommunications_diameter_signaling_router
8.3.0.0 ≤
𝑥
≤ 8.5.1.0
oraclecommunications_eagle_element_management_system
46.6
oraclecommunications_eagle_ftp_table_base_retrieval
4.5
oraclecommunications_element_manager
𝑥
< 9.0
oraclecommunications_evolved_communications_application_server
7.1
oraclecommunications_interactive_session_recorder
6.3
oraclecommunications_interactive_session_recorder
6.4
oraclecommunications_ip_service_activator
7.4.0
oraclecommunications_messaging_server
8.1
oraclecommunications_network_charging_and_control
12.0.1.0.0 ≤
𝑥
≤ 12.0.4.0.0
oraclecommunications_network_charging_and_control
6.0.1.0.0
oraclecommunications_network_integrity
7.3.6
oraclecommunications_performance_intelligence_center
10.4.0.3
oraclecommunications_pricing_design_center
12.0.0.4
oraclecommunications_pricing_design_center
12.0.0.5
oraclecommunications_service_broker
6.2
oraclecommunications_services_gatekeeper
7.0
oraclecommunications_session_report_manager
𝑥
< 9.0
oraclecommunications_session_route_manager
𝑥
< 9.0
oraclecommunications_unified_inventory_management
7.3.5
oraclecommunications_unified_inventory_management
7.4.1
oraclecommunications_unified_inventory_management
7.4.2
oraclecommunications_user_data_repository
12.4
oraclecommunications_webrtc_session_controller
7.2.0.0
oraclecommunications_webrtc_session_controller
7.2.1
oracledata_integrator
12.2.1.3.0
oracledata_integrator
12.2.1.4.0
oraclee-business_suite
12.2
oracleenterprise_manager_base_platform
13.4.0.0
oracleenterprise_manager_base_platform
13.5.0.0
oracleenterprise_manager_for_peoplesoft
13.4.1.1
oracleenterprise_manager_for_peoplesoft
13.5.1.1
oracleenterprise_manager_ops_center
12.4.0.0
oraclefinancial_services_analytical_applications_infrastructure
8.0.7 ≤
𝑥
≤ 8.1.1
oraclefinancial_services_model_management_and_governance
8.0.8.0.0
oraclefinancial_services_model_management_and_governance
8.1.0.0.0
oraclefinancial_services_model_management_and_governance
8.1.1.0.0
oracleflexcube_universal_banking
12.1.0 ≤
𝑥
≤ 12.4
oracleflexcube_universal_banking
14.0.0 ≤
𝑥
≤ 14.3.0
oracleflexcube_universal_banking
11.83.3
oracleflexcube_universal_banking
14.5
oraclehealth_sciences_empirica_signal
9.1.0.6
oraclehealth_sciences_empirica_signal
9.2.0.0
oraclehealth_sciences_inform
6.2.1.1
oraclehealth_sciences_inform
6.3.2.1
oraclehealth_sciences_inform
7.0.0.0
oraclehealth_sciences_information_manager
3.0.1 ≤
𝑥
≤ 3.0.4
oraclehealthcare_data_repository
8.1.1
oraclehealthcare_foundation
7.3.0.1 ≤
𝑥
≤ 7.3.0.4
oraclehealthcare_master_person_index
5.0.1
oraclehealthcare_translational_research
4.1.0
oraclehealthcare_translational_research
4.1.1
oraclehospitality_suite8
8.13.0
oraclehospitality_suite8
8.14.0
oraclehospitality_token_proxy_service
19.2
oraclehyperion_bi\+
𝑥
< 11.2.8.0
oraclehyperion_data_relationship_management
𝑥
< 11.2.8.0
oraclehyperion_infrastructure_technology
𝑥
< 11.2.8.0
oraclehyperion_planning
𝑥
< 11.2.8.0
oraclehyperion_profitability_and_cost_management
𝑥
< 11.2.8.0
oraclehyperion_tax_provision
𝑥
< 11.2.8.0
oracleidentity_management_suite
12.2.1.3.0
oracleidentity_management_suite
12.2.1.4.0
oracleidentity_manager_connector
9.1.0
oracleinstantis_enterprisetrack
17.1
oracleinstantis_enterprisetrack
17.2
oracleinstantis_enterprisetrack
17.3
oracleinsurance_data_gateway
1.0.1
oracleinsurance_insbridge_rating_and_underwriting
5.4 ≤
𝑥
≤ 5.6.0.0
oracleinsurance_insbridge_rating_and_underwriting
5.2.0
oracleinsurance_insbridge_rating_and_underwriting
5.6.1.0
oraclejdeveloper
12.2.1.4.0
oraclemanaged_file_transfer
12.2.1.3.0
oraclemanaged_file_transfer
12.2.1.4.0
oraclemanagement_cloud_engine
1.5.0
oraclemysql_enterprise_monitor
𝑥
≤ 8.0.29
oraclepayment_interface
19.1
oraclepayment_interface
20.3
oraclepeoplesoft_enterprise_peopletools
8.58
oraclepeoplesoft_enterprise_peopletools
8.59
oracleprimavera_gateway
17.12.0 ≤
𝑥
≤ 17.12.11
oracleprimavera_gateway
18.8.0 ≤
𝑥
≤ 18.8.13
oracleprimavera_gateway
19.12.0 ≤
𝑥
≤ 19.12.12
oracleprimavera_gateway
20.12.0 ≤
𝑥
≤ 20.12.7
oracleprimavera_gateway
21.12.0
oracleprimavera_p6_enterprise_project_portfolio_management
19.12.0.0 ≤
𝑥
≤ 19.12.18.0
oracleprimavera_p6_enterprise_project_portfolio_management
20.12.0.0 ≤
𝑥
≤ 20.12.12.0
oracleprimavera_p6_enterprise_project_portfolio_management
21.12.0.0
oracleprimavera_unifier
18.8
oracleprimavera_unifier
19.12
oracleprimavera_unifier
20.12
oracleprimavera_unifier
21.12
oracleretail_back_office
14.1
oracleretail_central_office
14.1
oracleretail_customer_insights
15.0.2
oracleretail_customer_insights
16.0.2
oracleretail_data_extractor_for_merchandising
15.0.2
oracleretail_data_extractor_for_merchandising
16.0.2
oracleretail_eftlink
16.0.3
oracleretail_eftlink
17.0.2
oracleretail_eftlink
18.0.1
oracleretail_eftlink
19.0.1
oracleretail_eftlink
20.0.1
oracleretail_eftlink
21.0.0
oracleretail_financial_integration
16.0.1 ≤
𝑥
≤ 16.0.3
oracleretail_financial_integration
14.1.3.2
oracleretail_financial_integration
15.0.3.1
oracleretail_financial_integration
19.0.0
oracleretail_financial_integration
19.0.1
oracleretail_integration_bus
16.0.1 ≤
𝑥
≤ 16.0.3
oracleretail_integration_bus
19.0.0 ≤
𝑥
≤ 19.0.1.0
oracleretail_integration_bus
14.1.3
oracleretail_integration_bus
14.1.3.2
oracleretail_integration_bus
15.0.3.1
oracleretail_integration_bus
19.0.0
oracleretail_integration_bus
19.0.1
oracleretail_invoice_matching
15.0.3
oracleretail_invoice_matching
16.0.3
oracleretail_merchandising_system
16.0.3
oracleretail_merchandising_system
19.0.1
oracleretail_order_broker
16.0
oracleretail_order_broker
18.0
oracleretail_order_broker
19.1
oracleretail_order_management_system
19.5
oracleretail_point-of-service
14.1
oracleretail_predictive_application_server
14.1.3.46
oracleretail_predictive_application_server
15.0.3.115
oracleretail_predictive_application_server
16.0.3.240
oracleretail_price_management
13.2
oracleretail_price_management
14.0.4
oracleretail_price_management
14.1.3.0
oracleretail_price_management
15.0.3.0
oracleretail_price_management
16.0.3.0
oracleretail_returns_management
14.1
oracleretail_service_backbone
16.0.1 ≤
𝑥
≤ 16.0.3
oracleretail_service_backbone
14.1.3
oracleretail_service_backbone
14.1.3.2
oracleretail_service_backbone
15.0.3.1
oracleretail_service_backbone
19.0.0
oracleretail_service_backbone
19.0.1
oracleretail_service_backbone
19.0.1.0
oracleretail_store_inventory_management
14.0.4.13
oracleretail_store_inventory_management
14.1.3.5
oracleretail_store_inventory_management
14.1.3.14
oracleretail_store_inventory_management
15.0.3.3
oracleretail_store_inventory_management
15.0.3.8
oracleretail_store_inventory_management
16.0.3.7
oraclesiebel_ui_framework
𝑥
≤ 21.12
oraclesql_developer
𝑥
< 21.4.2
oracletaleo_platform
𝑥
< 22.1
oracleutilities_framework
4.3.0.1.0 ≤
𝑥
≤ 4.3.0.6.0
oracleutilities_framework
4.4.0.0.0
oracleutilities_framework
4.4.0.2.0
oracleutilities_framework
4.4.0.3.0
oraclewebcenter_portal
12.2.1.3.0
oraclewebcenter_portal
12.2.1.4.0
oraclewebcenter_sites
12.2.1.3.0
oraclewebcenter_sites
12.2.1.4.0
oracleweblogic_server
12.2.1.3.0
oracleweblogic_server
12.2.1.4.0
oracleweblogic_server
14.1.1.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
apache-log4j2
bullseye
2.17.1-1~deb11u1
fixed
bullseye (security)
2.17.0-1~deb11u1
fixed
sid
2.19.0-2
fixed
trixie
2.19.0-2
fixed
bookworm
2.19.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
apache-log4j2
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
Fixed 2.17.0-0.21.10.1
released
hirsute
Fixed 2.17.0-0.21.04.1
released
focal
Fixed 2.17.0-0.20.04.1
released
bionic
Fixed 2.12.4-0ubuntu0.1
released
xenial
needed
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2021/12/19/1
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf
https://logging.apache.org/log4j/2.x/security.html
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
https://security.netapp.com/advisory/ntap-20211218-0001/
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://www.debian.org/security/2021/dsa-5024
https://www.kb.cert.org/vuls/id/930724
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.zerodayinitiative.com/advisories/ZDI-21-1541/
http://www.openwall.com/lists/oss-security/2021/12/19/1
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf
https://logging.apache.org/log4j/2.x/security.html
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
https://security.netapp.com/advisory/ntap-20211218-0001/
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://www.debian.org/security/2021/dsa-5024
https://www.kb.cert.org/vuls/id/930724
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.zerodayinitiative.com/advisories/ZDI-21-1541/