CVE-2021-45105
DoS (Denial of Service) vulnerability in org.apache.logging.log4j:log4j-core

What is CVE-2021-45105 About?

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) are vulnerable to a Denial of Service (DoS) due to uncontrolled recursion from self-referential lookups. An attacker with control over Thread Context Map data can trigger this by crafting a specific string, causing the application to crash. Exploitation complexity is moderate, requiring specific input in the Thread Context Map.

Affected Software

Technical Details

The Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) suffer from a Denial of Service (DoS) vulnerability due to uncontrolled recursion, specifically from self-referential lookups. This occurs when an attacker can inject a crafted string into the Thread Context Map (MDC) which is then processed by Log4j2. The attacker's crafted string contains a lookup pattern that references itself or another lookup that eventually refers back to the original, creating an infinite recursive loop. When Log4j2 attempts to interpret and resolve this self-referential lookup, it enters an uncontrolled recursion, rapidly consuming stack memory and other resources. This ultimately leads to a StackOverflowError or similar resource exhaustion, crashing the application and resulting in a Denial of Service. The vulnerability primarily affects the `org.apache.logging.log4j:log4j-core` package.

What is the Impact of CVE-2021-45105?

Successful exploitation may allow attackers to cause a denial of service by triggering uncontrolled recursion, leading to application crashes and unavailability.

What is the Exploitability of CVE-2021-45105?

Exploitation of this vulnerability is of moderate complexity. An attacker needs to have control over the data placed into the Log4j2 Thread Context Map (MDC). This typically means a medium level of access or influence on data that ends up in log messages. No explicit authentication for the Log4j2 library itself is required, but an attacker usually needs to be authenticated to the application to inject malicious data into the MDC. No special privileges are required beyond the ability to influence log inputs. This can be a remote attack if user-controlled input (e.g., HTTP headers, API parameters) is logged and placed into the MDC. The specific format of the crafted string is crucial. The risk is high for applications that extensively use the Thread Context Map with unsanitized user input.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2021-45105?

Available Upgrade Options

• org.apache.logging.log4j:log4j-core
  • <2.3.1 → Upgrade to 2.3.1
• org.apache.logging.log4j:log4j-core
  • >2.4.0, <2.12.3 → Upgrade to 2.12.3
• org.apache.logging.log4j:log4j-core
  • >2.13.0, <2.17.0 → Upgrade to 2.17.0
• org.ops4j.pax.logging:pax-logging-log4j2
  • >1.8.0, <1.9.2 → Upgrade to 1.9.2
• org.ops4j.pax.logging:pax-logging-log4j2
  • >1.10.0, <1.10.9 → Upgrade to 1.10.9
• org.ops4j.pax.logging:pax-logging-log4j2
  • >1.11.0, <1.11.12 → Upgrade to 1.11.12
• org.ops4j.pax.logging:pax-logging-log4j2
  • >2.0.0, <2.0.13 → Upgrade to 2.0.13

Additional Resources

• https://security.netapp.com/advisory/ntap-20211218-0001
• https://logging.apache.org/log4j/2.x/security.html
• https://www.debian.org/security/2021/dsa-5024
• https://lists.debian.org/debian-lts-announce/2021/12/msg00017.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
• https://www.kb.cert.org/vuls/id/930724

What are Similar Vulnerabilities to CVE-2021-45105?

Similar Vulnerabilities: CVE-2021-44228 , CVE-2021-45046 , CVE-2022-23307 , CVE-2022-23305 , CVE-2021-3803