Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Published

2021-12-18T12:15:07.433

Last Modified

2024-11-21T06:31:58.170

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-20
CWE-674
Type: Primary
CWE-20
CWE-674

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	log4j	< 2.3.1	Yes
Application	apache	log4j	< 2.12.3	Yes
Application	apache	log4j	≤ 2.16.0	Yes
Application	netapp	cloud_manager	-	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes
Application	sonicwall	email_security	≤ 10.0.12	Yes
Application	sonicwall	network_security_manager	< 3.0	Yes
Application	sonicwall	network_security_manager	< 3.0	Yes
Application	sonicwall	web_application_firewall	< 3.1.0	Yes
Operating System	sonicwall	6bk1602-0aa12-0tp0_firmware	< 2.7.0	Yes
Hardware	sonicwall	6bk1602-0aa12-0tp0	-	No
Operating System	sonicwall	6bk1602-0aa22-0tp0_firmware	< 2.7.0	Yes
Hardware	sonicwall	6bk1602-0aa22-0tp0	-	No
Operating System	sonicwall	6bk1602-0aa32-0tp0_firmware	< 2.7.0	Yes
Hardware	sonicwall	6bk1602-0aa32-0tp0	-	No
Operating System	sonicwall	6bk1602-0aa42-0tp0_firmware	< 2.7.0	Yes
Hardware	sonicwall	6bk1602-0aa42-0tp0	-	No
Operating System	sonicwall	6bk1602-0aa52-0tp0_firmware	< 2.7.0	Yes
Hardware	sonicwall	6bk1602-0aa52-0tp0	-	No
Application	oracle	agile_engineering_data_management	6.2.1.0	Yes
Application	oracle	agile_plm	9.3.6	Yes
Application	oracle	agile_plm_mcad_connector	3.6	Yes
Application	oracle	autovue_for_agile_product_lifecycle_management	21.0.2	Yes
Application	oracle	banking_deposits_and_lines_of_credit_servicing	2.12.0	Yes
Application	oracle	banking_enterprise_default_management	2.7.1	Yes
Application	oracle	banking_enterprise_default_management	2.12.0	Yes
Application	oracle	banking_loans_servicing	2.12.0	Yes
Application	oracle	banking_party_management	2.7.0	Yes
Application	oracle	banking_payments	14.5	Yes
Application	oracle	banking_platform	2.6.2	Yes
Application	oracle	banking_platform	2.7.1	Yes
Application	oracle	banking_platform	2.12.0	Yes
Application	oracle	banking_trade_finance	14.5	Yes
Application	oracle	banking_treasury_management	14.5	Yes
Application	oracle	business_intelligence	5.5.0.0.0	Yes
Application	oracle	communications_asap	7.3	Yes
Application	oracle	communications_billing_and_revenue_management	12.0.0.4	Yes
Application	oracle	communications_billing_and_revenue_management	12.0.0.5	Yes
Application	oracle	communications_cloud_native_core_console	1.9.0	Yes
Application	oracle	communications_cloud_native_core_network_function_cloud_native_environment	1.10.0	Yes
Application	oracle	communications_cloud_native_core_network_repository_function	1.15.0	Yes
Application	oracle	communications_cloud_native_core_network_repository_function	1.15.1	Yes
Application	oracle	communications_cloud_native_core_network_slice_selection_function	1.8.0	Yes
Application	oracle	communications_cloud_native_core_policy	1.15.0	Yes
Application	oracle	communications_cloud_native_core_security_edge_protection_proxy	1.7.0	Yes
Application	oracle	communications_cloud_native_core_service_communication_proxy	1.15.0	Yes
Application	oracle	communications_cloud_native_core_unified_data_repository	1.15.0	Yes
Application	oracle	communications_convergence	3.0.2.2.0	Yes
Application	oracle	communications_convergence	3.0.3.0	Yes
Application	oracle	communications_convergent_charging_controller	≤ 12.0.4.0.0	Yes
Application	oracle	communications_convergent_charging_controller	6.0.1.0.0	Yes
Application	oracle	communications_diameter_signaling_router	≤ 8.5.1.0	Yes
Application	oracle	communications_eagle_element_management_system	46.6	Yes
Application	oracle	communications_eagle_ftp_table_base_retrieval	4.5	Yes
Application	oracle	communications_element_manager	< 9.0	Yes
Application	oracle	communications_evolved_communications_application_server	7.1	Yes
Application	oracle	communications_interactive_session_recorder	6.3	Yes
Application	oracle	communications_interactive_session_recorder	6.4	Yes
Application	oracle	communications_ip_service_activator	7.4.0	Yes
Application	oracle	communications_messaging_server	8.1	Yes
Application	oracle	communications_network_charging_and_control	≤ 12.0.4.0.0	Yes
Application	oracle	communications_network_charging_and_control	6.0.1.0.0	Yes
Application	oracle	communications_network_integrity	7.3.6	Yes
Application	oracle	communications_performance_intelligence_center	10.4.0.3	Yes
Application	oracle	communications_pricing_design_center	12.0.0.4	Yes
Application	oracle	communications_pricing_design_center	12.0.0.5	Yes
Application	oracle	communications_service_broker	6.2	Yes
Application	oracle	communications_services_gatekeeper	7.0	Yes
Application	oracle	communications_session_report_manager	< 9.0	Yes
Application	oracle	communications_session_route_manager	< 9.0	Yes
Application	oracle	communications_unified_inventory_management	7.3.5	Yes
Application	oracle	communications_unified_inventory_management	7.4.1	Yes
Application	oracle	communications_unified_inventory_management	7.4.2	Yes
Application	oracle	communications_user_data_repository	12.4	Yes
Application	oracle	communications_webrtc_session_controller	7.2.0.0	Yes
Application	oracle	communications_webrtc_session_controller	7.2.1	Yes
Application	oracle	data_integrator	12.2.1.3.0	Yes
Application	oracle	data_integrator	12.2.1.4.0	Yes
Application	oracle	e-business_suite	12.2	Yes
Application	oracle	enterprise_manager_base_platform	13.4.0.0	Yes
Application	oracle	enterprise_manager_base_platform	13.5.0.0	Yes
Application	oracle	enterprise_manager_for_peoplesoft	13.4.1.1	Yes
Application	oracle	enterprise_manager_for_peoplesoft	13.5.1.1	Yes
Application	oracle	enterprise_manager_ops_center	12.4.0.0	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	≤ 8.1.1	Yes
Application	oracle	financial_services_model_management_and_governance	8.0.8.0.0	Yes
Application	oracle	financial_services_model_management_and_governance	8.1.0.0.0	Yes
Application	oracle	financial_services_model_management_and_governance	8.1.1.0.0	Yes
Application	oracle	flexcube_universal_banking	≤ 12.4	Yes
Application	oracle	flexcube_universal_banking	≤ 14.3.0	Yes
Application	oracle	flexcube_universal_banking	11.83.3	Yes
Application	oracle	flexcube_universal_banking	14.5	Yes
Application	oracle	health_sciences_empirica_signal	9.1.0.6	Yes
Application	oracle	health_sciences_empirica_signal	9.2.0.0	Yes
Application	oracle	health_sciences_inform	6.2.1.1	Yes
Application	oracle	health_sciences_inform	6.3.2.1	Yes
Application	oracle	health_sciences_inform	7.0.0.0	Yes
Application	oracle	health_sciences_information_manager	≤ 3.0.4	Yes
Application	oracle	healthcare_data_repository	8.1.1	Yes
Application	oracle	healthcare_foundation	≤ 7.3.0.4	Yes
Application	oracle	healthcare_master_person_index	5.0.1	Yes
Application	oracle	healthcare_translational_research	4.1.0	Yes
Application	oracle	healthcare_translational_research	4.1.1	Yes
Application	oracle	hospitality_suite8	8.13.0	Yes
Application	oracle	hospitality_suite8	8.14.0	Yes
Application	oracle	hospitality_token_proxy_service	19.2	Yes
Application	oracle	hyperion_bi\+	< 11.2.8.0	Yes
Application	oracle	hyperion_data_relationship_management	< 11.2.8.0	Yes
Application	oracle	hyperion_infrastructure_technology	< 11.2.8.0	Yes
Application	oracle	hyperion_planning	< 11.2.8.0	Yes
Application	oracle	hyperion_profitability_and_cost_management	< 11.2.8.0	Yes
Application	oracle	hyperion_tax_provision	< 11.2.8.0	Yes
Application	oracle	identity_management_suite	12.2.1.3.0	Yes
Application	oracle	identity_management_suite	12.2.1.4.0	Yes
Application	oracle	identity_manager_connector	9.1.0	Yes
Application	oracle	instantis_enterprisetrack	17.1	Yes
Application	oracle	instantis_enterprisetrack	17.2	Yes
Application	oracle	instantis_enterprisetrack	17.3	Yes
Application	oracle	insurance_data_gateway	1.0.1	Yes
Application	oracle	insurance_insbridge_rating_and_underwriting	≤ 5.6.0.0	Yes
Application	oracle	insurance_insbridge_rating_and_underwriting	5.2.0	Yes
Application	oracle	insurance_insbridge_rating_and_underwriting	5.6.1.0	Yes
Application	oracle	jdeveloper	12.2.1.4.0	Yes
Application	oracle	managed_file_transfer	12.2.1.3.0	Yes
Application	oracle	managed_file_transfer	12.2.1.4.0	Yes
Application	oracle	management_cloud_engine	1.5.0	Yes
Application	oracle	mysql_enterprise_monitor	≤ 8.0.29	Yes
Application	oracle	payment_interface	19.1	Yes
Application	oracle	payment_interface	20.3	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.58	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.59	Yes
Application	oracle	primavera_gateway	≤ 17.12.11	Yes
Application	oracle	primavera_gateway	≤ 18.8.13	Yes
Application	oracle	primavera_gateway	≤ 19.12.12	Yes
Application	oracle	primavera_gateway	≤ 20.12.7	Yes
Application	oracle	primavera_gateway	21.12.0	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	≤ 19.12.18.0	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	≤ 20.12.12.0	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	21.12.0.0	Yes
Application	oracle	primavera_unifier	18.8	Yes
Application	oracle	primavera_unifier	19.12	Yes
Application	oracle	primavera_unifier	20.12	Yes
Application	oracle	primavera_unifier	21.12	Yes
Application	oracle	retail_back_office	14.1	Yes
Application	oracle	retail_central_office	14.1	Yes
Application	oracle	retail_customer_insights	15.0.2	Yes
Application	oracle	retail_customer_insights	16.0.2	Yes
Application	oracle	retail_data_extractor_for_merchandising	15.0.2	Yes
Application	oracle	retail_data_extractor_for_merchandising	16.0.2	Yes
Application	oracle	retail_eftlink	16.0.3	Yes
Application	oracle	retail_eftlink	17.0.2	Yes
Application	oracle	retail_eftlink	18.0.1	Yes
Application	oracle	retail_eftlink	19.0.1	Yes
Application	oracle	retail_eftlink	20.0.1	Yes
Application	oracle	retail_eftlink	21.0.0	Yes
Application	oracle	retail_financial_integration	≤ 16.0.3	Yes
Application	oracle	retail_financial_integration	14.1.3.2	Yes
Application	oracle	retail_financial_integration	15.0.3.1	Yes
Application	oracle	retail_financial_integration	19.0.0	Yes
Application	oracle	retail_financial_integration	19.0.1	Yes
Application	oracle	retail_integration_bus	≤ 16.0.3	Yes
Application	oracle	retail_integration_bus	≤ 19.0.1.0	Yes
Application	oracle	retail_integration_bus	14.1.3	Yes
Application	oracle	retail_integration_bus	14.1.3.2	Yes
Application	oracle	retail_integration_bus	15.0.3.1	Yes
Application	oracle	retail_integration_bus	19.0.0	Yes
Application	oracle	retail_integration_bus	19.0.1	Yes
Application	oracle	retail_invoice_matching	15.0.3	Yes
Application	oracle	retail_invoice_matching	16.0.3	Yes
Application	oracle	retail_merchandising_system	16.0.3	Yes
Application	oracle	retail_merchandising_system	19.0.1	Yes
Application	oracle	retail_order_broker	16.0	Yes
Application	oracle	retail_order_broker	18.0	Yes
Application	oracle	retail_order_broker	19.1	Yes
Application	oracle	retail_order_management_system	19.5	Yes
Application	oracle	retail_point-of-service	14.1	Yes
Application	oracle	retail_predictive_application_server	14.1.3.46	Yes
Application	oracle	retail_predictive_application_server	15.0.3.115	Yes
Application	oracle	retail_predictive_application_server	16.0.3.240	Yes
Application	oracle	retail_price_management	13.2	Yes
Application	oracle	retail_price_management	14.0.4	Yes
Application	oracle	retail_price_management	14.1.3.0	Yes
Application	oracle	retail_price_management	15.0.3.0	Yes
Application	oracle	retail_price_management	16.0.3.0	Yes
Application	oracle	retail_returns_management	14.1	Yes
Application	oracle	retail_service_backbone	≤ 16.0.3	Yes
Application	oracle	retail_service_backbone	14.1.3	Yes
Application	oracle	retail_service_backbone	14.1.3.2	Yes
Application	oracle	retail_service_backbone	15.0.3.1	Yes
Application	oracle	retail_service_backbone	19.0.0	Yes
Application	oracle	retail_service_backbone	19.0.1	Yes
Application	oracle	retail_service_backbone	19.0.1.0	Yes
Application	oracle	retail_store_inventory_management	14.0.4.13	Yes
Application	oracle	retail_store_inventory_management	14.1.3.5	Yes
Application	oracle	retail_store_inventory_management	14.1.3.14	Yes
Application	oracle	retail_store_inventory_management	15.0.3.3	Yes
Application	oracle	retail_store_inventory_management	15.0.3.8	Yes
Application	oracle	retail_store_inventory_management	16.0.3.7	Yes
Application	oracle	siebel_ui_framework	≤ 21.12	Yes
Application	oracle	sql_developer	< 21.4.2	Yes
Application	oracle	taleo_platform	< 22.1	Yes
Application	oracle	utilities_framework	≤ 4.3.0.6.0	Yes
Application	oracle	utilities_framework	4.4.0.0.0	Yes
Application	oracle	utilities_framework	4.4.0.2.0	Yes
Application	oracle	utilities_framework	4.4.0.3.0	Yes
Application	oracle	webcenter_portal	12.2.1.3.0	Yes
Application	oracle	webcenter_portal	12.2.1.4.0	Yes
Application	oracle	webcenter_sites	12.2.1.3.0	Yes
Application	oracle	webcenter_sites	12.2.1.4.0	Yes
Application	oracle	weblogic_server	12.2.1.3.0	Yes
Application	oracle	weblogic_server	12.2.1.4.0	Yes
Application	oracle	weblogic_server	14.1.1.0.0	Yes

References

http://www.openwall.com/lists/oss-security/2021/12/19/1 Mailing List, Mitigation, Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf Third Party Advisory ([email protected])
https://logging.apache.org/log4j/2.x/security.html Release Notes, Vendor Advisory ([email protected])
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20211218-0001/ Third Party Advisory ([email protected])
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd Third Party Advisory ([email protected])
https://www.debian.org/security/2021/dsa-5024 Third Party Advisory ([email protected])
https://www.kb.cert.org/vuls/id/930724 Third Party Advisory, US Government Resource ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory ([email protected])
https://www.zerodayinitiative.com/advisories/ZDI-21-1541/ Third Party Advisory, VDB Entry ([email protected])
http://www.openwall.com/lists/oss-security/2021/12/19/1 Mailing List, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://logging.apache.org/log4j/2.x/security.html Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20211218-0001/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-5024 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.kb.cert.org/vuls/id/930724 Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.zerodayinitiative.com/advisories/ZDI-21-1541/ Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)