apache log4j CVE-2021-45105 vulnerability in Apache and Other Products
Published on December 18, 2021

product logo product logo product logo product logo product logo product logo
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Github Repository Github Repository Vendor Advisory NVD

Vulnerability Analysis

CVE-2021-45105 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 2.2 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

What is a Stack Exhaustion Vulnerability?

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

CVE-2021-45105 has been classified to as a Stack Exhaustion vulnerability or weakness.


Products Associated with CVE-2021-45105

You can be notified by stack.watch whenever vulnerabilities like CVE-2021-45105 are published in these products:

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

What versions are vulnerable to CVE-2021-45105?

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Vulnerable Packages

The following package name and versions may be associated with CVE-2021-45105

Package Manager Vulnerable Package Versions Fixed In
maven org.powernukkit:powernukkit <= 1.5.2.0 1.5.2.1
maven com.hazelcast.jet:hazelcast-jet >= 4.1, < 4.5.3 4.5.3
maven com.hazelcast:hazelcast >= 5.0, < 5.0.2 5.0.2
maven com.hazelcast:hazelcast < 4.0.5 4.0.5
maven com.hazelcast:hazelcast >= 4.1.1, < 4.1.8 4.1.8
maven com.hazelcast:hazelcast >= 4.2, < 4.2.4 4.2.4