CVE-2021-45105 vulnerability in Apache and Other Products
Published on December 18, 2021
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
Vulnerability Analysis
CVE-2021-45105 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 2.2 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
What is a Stack Exhaustion Vulnerability?
The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.
CVE-2021-45105 has been classified to as a Stack Exhaustion vulnerability or weakness.
Products Associated with CVE-2021-45105
You can be notified by stack.watch whenever vulnerabilities like CVE-2021-45105 are published in these products:
What versions are vulnerable to CVE-2021-45105?
-
Apache Log4j
Version 2.0
Fixed in Version 2.3.1
-
Apache Log4j
Version 2.4
Fixed in Version 2.12.3
-
Apache Log4j
Version 2.13.0
through 2.16.0
-
NetApp Cloud Manager
Version -
-
Debian Linux
Version 10.0
-
Debian Linux
Version 11.0
-
SonicWall Network Security Manager
Version 2.0
Fixed in Version 3.0
-
SonicWall Network Security Manager
Version 2.0
Fixed in Version 3.0
-
SonicWall Email Security
Up to Version 10.0.12
-
SonicWall Web Application Firewall
Version 3.0.0
Fixed in Version 3.1.0
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
-
Oracle E Business Suite
Version 12.2
-
Oracle Retail Back Office
Version 14.1
-
Oracle Weblogic Server
Version 12.2.1.3.0
-
Oracle Webcenter Portal
Version 12.2.1.3.0
-
Oracle Webcenter Sites
Version 12.2.1.3.0
-
Oracle Managed File Transfer
Version 12.2.1.3.0
-
Oracle Retail Order Broker
Version 16.0
-
Oracle Retail Integration Bus
Version 14.1.3
-
Oracle Retail Returns Management
Version 14.1
-
Oracle Retail Central Office
Version 14.1
-
Oracle Primavera Unifier
Version 18.8
-
Oracle Retail Point Of Service
Version 14.1
-
Oracle Instantis Enterprisetrack
Version 17.1
-
Oracle Instantis Enterprisetrack
Version 17.2
-
Oracle Instantis Enterprisetrack
Version 17.3
-
Oracle Weblogic Server
Version 12.2.1.4.0
-
Oracle Business Intelligence
Version 5.5.0.0.0
-
Oracle Primavera Unifier
Version 19.12
-
Oracle Communications Unified Inventory Management
Version 7.3.5
-
Oracle Webcenter Sites
Version 12.2.1.4.0
-
Oracle Identity Management Suite
Version 12.2.1.3.0
-
Oracle Data Integrator
Version 12.2.1.3.0
-
Oracle Flexcube Universal Banking
Version 14.0.0
through 14.3.0
-
Oracle Banking Platform
Version 2.6.2
-
Oracle Peoplesoft Enterprise Peopletools
Version 8.58
-
Oracle Utilities Framework
Version 4.4.0.0.0
-
Oracle Agile Plm
Version 9.3.6
-
Oracle Webcenter Portal
Version 12.2.1.4.0
-
Oracle Weblogic Server
Version 14.1.1.0.0
-
Oracle Communications Services Gatekeeper
Version 7.0
-
Oracle Retail Service Backbone
Version 14.1.3
-
Oracle Primavera Unifier
Version 20.12
-
Oracle Managed File Transfer
Version 12.2.1.4.0
-
Oracle Retail Order Broker
Version 18.0
-
Oracle Communications Interactive Session Recorder
Version 6.3
-
Oracle Communications Interactive Session Recorder
Version 6.4
-
Oracle Retail Service Backbone
Version 15.0.3.1
-
Oracle Retail Service Backbone
Version 14.1.3.2
-
Oracle Primavera Gateway
Version 17.12.0
through 17.12.11
-
Oracle Retail Price Management
Version 14.1.3.0
-
Oracle Retail Price Management
Version 15.0.3.0
-
Oracle Retail Price Management
Version 16.0.3.0
-
Oracle Retail Order Broker
Version 19.1
-
Oracle Primavera Gateway
Version 20.12.0
through 20.12.7
-
Oracle Communications Ip Service Activator
Version 7.4.0
-
Oracle Communications Performance Intelligence Center
Version 10.4.0.3
-
Oracle Communications Evolved Communications Application Server
Version 7.1
-
Oracle Communications Unified Inventory Management
Version 7.4.1
-
Oracle Communications Network Integrity
Version 7.3.6
-
Oracle Jdeveloper
Version 12.2.1.4.0
-
Oracle Data Integrator
Version 12.2.1.4.0
-
Oracle Banking Platform
Version 2.7.1
-
Oracle Enterprise Manager Ops Center
Version 12.4.0.0
-
Oracle Enterprise Manager Peoplesoft
Version 13.4.1.1
-
Oracle Enterprise Manager Base Platform
Version 13.5.0.0
-
Oracle Enterprise Manager Base Platform
Version 13.4.0.0
-
Oracle Peoplesoft Enterprise Peopletools
Version 8.59
-
Oracle Insurance Insbridge Rating Underwriting
Version 5.6.1.0
-
Oracle Agile Engineering Data Management
Version 6.2.1.0
-
Oracle Retail Merchandising System
Version 16.0.3
-
Oracle Utilities Framework
Version 4.4.0.2.0
-
Oracle Utilities Framework
Version 4.4.0.3.0
-
Oracle Utilities Framework
Version 4.3.0.1.0
through 4.3.0.6.0
-
Oracle Retail Service Backbone
Version 19.0.1.0
-
Oracle Retail Integration Bus
Version 14.1.3.2
-
Oracle Retail Eftlink
Version 16.0.3
-
Oracle Retail Eftlink
Version 17.0.2
-
Oracle Retail Eftlink
Version 18.0.1
-
Oracle Retail Eftlink
Version 19.0.1
-
Oracle Retail Integration Bus
Version 15.0.3.1
-
Oracle Financial Services Model Management Governance
Version 8.1.0.0.0
-
Oracle Financial Services Model Management Governance
Version 8.0.8.0.0
-
Oracle Financial Services Analytical Applications Infrastructure
Version 8.0.7
through 8.1.1
-
Oracle Primavera Unifier
Version 21.12
-
Oracle Siebel Ui Framework
Up to Version 21.12
-
Oracle Retail Service Backbone
Version 19.0.0
-
Oracle Retail Price Management
Version 13.2
-
Oracle Retail Price Management
Version 14.0.4
-
Oracle Retail Predictive Application Server
Version 14.1.3.46
-
Oracle Retail Predictive Application Server
Version 15.0.3.115
-
Oracle Retail Predictive Application Server
Version 16.0.3.240
-
Oracle Retail Order Management System
Version 19.5
-
Oracle Retail Invoice Matching
Version 15.0.3
-
Oracle Retail Invoice Matching
Version 16.0.3
-
Oracle Retail Integration Bus
Version 19.0.0
through 19.0.1.0
-
Oracle Retail Eftlink
Version 20.0.1
-
Oracle Financial Services Model Management Governance
Version 8.1.1.0.0
-
Oracle Primavera P6 Enterprise Project Portfolio Management
Version 21.12.0.0
-
Oracle Primavera P6 Enterprise Project Portfolio Management
Version 20.12.0.0
through 20.12.12.0
-
Oracle Primavera P6 Enterprise Project Portfolio Management
Version 19.12.0.0
through 19.12.18.0
-
Oracle Primavera Gateway
Version 21.12.0
-
Oracle Primavera Gateway
Version 19.12.0
through 19.12.12
-
Oracle Primavera Gateway
Version 18.8.0
through 18.8.13
-
Oracle Communications Diameter Signaling Router
Version 8.3.0.0
through 8.5.1.0
-
Oracle Communications Webrtc Session Controller
Version 7.2.0.0
-
Oracle Communications Webrtc Session Controller
Version 7.2.1
-
Oracle Communications Service Broker
Version 6.2
-
Oracle Communications Messaging Server
Version 8.1
-
Oracle Communications Convergent Charging Controller
Version 12.0.1.0.0
through 12.0.4.0.0
-
Oracle Communications Convergent Charging Controller
Version 6.0.1.0.0
-
Oracle Communications Convergence
Version 3.0.2.2.0
-
Oracle Communications Billing Revenue Management
Version 12.0.0.4
-
Oracle Communications Asap
Version 7.3
-
Oracle Communications Session Route Manager
Fixed in Version 9.0
-
Oracle Communications Session Report Manager
Fixed in Version 9.0
-
Oracle Communications Element Manager
Fixed in Version 9.0
-
Oracle Communications Eagle Ftp Table Base Retrieval
Version 4.5
-
Oracle Communications Cloud Native Core Security Edge Protection Proxy
Version 1.7.0
-
Oracle Communications Unified Inventory Management
Version 7.4.2
-
Oracle Communications Pricing Design Center
Version 12.0.0.4
-
Oracle Communications Pricing Design Center
Version 12.0.0.5
-
Oracle Communications Network Charging Control
Version 12.0.1.0.0
through 12.0.4.0.0
-
Oracle Communications Network Charging Control
Version 6.0.1.0.0
-
Oracle Banking Platform
Version 2.12.0
-
Oracle Banking Party Management
Version 2.7.0
-
Oracle Banking Loans Servicing
Version 2.12.0
-
Oracle Banking Enterprise Default Management
Version 2.7.1
-
Oracle Banking Enterprise Default Management
Version 2.12.0
-
Oracle Banking Deposits Lines Credit Servicing
Version 2.12.0
-
Oracle Hospitality Suite8
Version 8.13.0
-
Oracle Hospitality Suite8
Version 8.14.0
-
Oracle Healthcare Translational Research
Version 4.1.0
-
Oracle Healthcare Data Repository
Version 8.1.1
-
Oracle Insurance Insbridge Rating Underwriting
Version 5.2.0
-
Oracle Retail Service Backbone
Version 16.0.1
through 16.0.3
-
Oracle Retail Service Backbone
Version 19.0.1
-
Oracle Retail Merchandising System
Version 19.0.1
-
Oracle Retail Integration Bus
Version 16.0.1
through 16.0.3
-
Oracle Retail Integration Bus
Version 19.0.1
-
Oracle Retail Integration Bus
Version 19.0.0
-
Oracle Retail Financial Integration
Version 14.1.3.2
-
Oracle Retail Financial Integration
Version 15.0.3.1
-
Oracle Retail Financial Integration
Version 19.0.1
-
Oracle Autovue Agile Product Lifecycle Management
Version 21.0.2
-
Oracle Agile Plm Mcad Connector
Version 3.6
-
Oracle Communications Convergence
Version 3.0.3.0
-
Oracle Communications Billing Revenue Management
Version 12.0.0.5
-
Oracle Sql Developer
Fixed in Version 21.4.2
-
Oracle Communications User Data Repository
Version 12.4
-
Oracle Communications Eagle Element Management System
Version 46.6
-
Oracle Communications Cloud Native Core Unified Data Repository
Version 1.15.0
-
Oracle Communications Cloud Native Core Service Communication Proxy
Version 1.15.0
-
Oracle Communications Cloud Native Core Policy
Version 1.15.0
-
Oracle Communications Cloud Native Core Network Slice Selection Function
Version 1.8.0
-
Oracle Communications Cloud Native Core Network Repository Function
Version 1.15.0
-
Oracle Communications Cloud Native Core Network Repository Function
Version 1.15.1
-
Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Version 1.10.0
-
Oracle Communications Cloud Native Core Console
Version 1.9.0
-
Oracle Management Cloud Engine
Version 1.5.0
-
Oracle Identity Manager Connector
Version 9.1.0
-
Oracle Identity Management Suite
Version 12.2.1.4.0
-
Oracle Flexcube Universal Banking
Version 11.83.3
-
Oracle Flexcube Universal Banking
Version 14.5
-
Oracle Flexcube Universal Banking
Version 12.1.0
through 12.4
-
Oracle Banking Treasury Management
Version 14.5
-
Oracle Banking Trade Finance
Version 14.5
-
Oracle Banking Payments
Version 14.5
-
Oracle Enterprise Manager Peoplesoft
Version 13.5.1.1
-
Oracle Payment Interface
Version 19.1
-
Oracle Payment Interface
Version 20.3
-
Oracle Hospitality Token Proxy Service
Version 19.2
-
Oracle Healthcare Translational Research
Version 4.1.1
-
Oracle Healthcare Master Person Index
Version 5.0.1
-
Oracle Healthcare Foundation
Version 7.3.0.1
through 7.3.0.4
-
Oracle Health Sciences Information Manager
Version 3.0.1
through 3.0.4
-
Oracle Health Sciences Inform
Version 6.3.2.1
-
Oracle Health Sciences Inform
Version 7.0.0.0
-
Oracle Health Sciences Inform
Version 6.2.1.1
-
Oracle Health Sciences Empirica Signal
Version 9.2.0.0
-
Oracle Health Sciences Empirica Signal
Version 9.1.0.6
-
Oracle Mysql Enterprise Monitor
Up to Version 8.0.29
-
Oracle Insurance Insbridge Rating Underwriting
Version 5.4
through 5.6.0.0
-
Oracle Insurance Data Gateway
Version 1.0.1
-
Oracle Hyperion Tax Provision
Fixed in Version 11.2.8.0
-
Oracle Hyperion Profitability Cost Management
Fixed in Version 11.2.8.0
-
Oracle Hyperion Planning
Fixed in Version 11.2.8.0
-
Oracle Hyperion Infrastructure Technology
Fixed in Version 11.2.8.0
-
Oracle Hyperion Data Relationship Management
Fixed in Version 11.2.8.0
-
Oracle Hyperion Bi
Fixed in Version 11.2.8.0
-
Oracle Retail Store Inventory Management
Version 14.1.3.14
-
Oracle Retail Store Inventory Management
Version 14.1.3.5
-
Oracle Retail Store Inventory Management
Version 15.0.3.3
-
Oracle Retail Store Inventory Management
Version 15.0.3.8
-
Oracle Retail Store Inventory Management
Version 16.0.3.7
-
Oracle Retail Store Inventory Management
Version 14.0.4.13
-
Oracle Retail Financial Integration
Version 16.0.1
through 16.0.3
-
Oracle Retail Financial Integration
Version 19.0.0
-
Oracle Retail Eftlink
Version 21.0.0
-
Oracle Retail Data Extractor Merchandising
Version 15.0.2
-
Oracle Retail Data Extractor Merchandising
Version 16.0.2
-
Oracle Retail Customer Insights
Version 16.0.2
-
Oracle Retail Customer Insights
Version 15.0.2
-
Oracle Taleo Platform
Fixed in Version 22.1
Vulnerable Packages
The following package name and versions may be associated with CVE-2021-45105
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.powernukkit:powernukkit | <= 1.5.2.0 | 1.5.2.1 |
| maven | com.hazelcast.jet:hazelcast-jet | >= 4.1, < 4.5.3 | 4.5.3 |
| maven | com.hazelcast:hazelcast | >= 5.0, < 5.0.2 | 5.0.2 |
| maven | com.hazelcast:hazelcast | < 4.0.5 | 4.0.5 |
| maven | com.hazelcast:hazelcast | >= 4.1.1, < 4.1.8 | 4.1.8 |
| maven | com.hazelcast:hazelcast | >= 4.2, < 4.2.4 | 4.2.4 |