Rapid7 Vulnerability & Exploit Database

Apache Log4j Core: CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

Apache Log4j Core: CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Published
12/17/2021
Created
12/21/2021
Added
12/20/2021
Modified
07/18/2022

Description

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

Solution(s)

  • apache-log4j-core-upgrade-2_12_3
  • apache-log4j-core-upgrade-2_17
  • apache-log4j-core-upgrade-2_3_1

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;