Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 5.9, indicating it can be exploited remotely over the network but requires specific conditions to be met without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts and availability (service disruption) for affected systems. Impacting 121 products from apache, from netapp, from debian and 118 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2021, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2021-12-18T12:15:07.433

Last Modified

2024-11-21T06:31:58.170

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-20
CWE-674
Type: Primary
CWE-20
CWE-674

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	log4j	< 2.3.1	Yes
Application	apache	log4j	< 2.12.3	Yes
Application	apache	log4j	≤ 2.16.0	Yes
Application	netapp	cloud_manager	-	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes
Application	sonicwall	email_security	≤ 10.0.12	Yes
Application	sonicwall	network_security_manager	< 3.0	Yes
Application	sonicwall	network_security_manager	< 3.0	Yes
Application	sonicwall	web_application_firewall	< 3.1.0	Yes
Operating System	sonicwall	6bk1602-0aa12-0tp0_firmware	< 2.7.0	Yes
Hardware	sonicwall	6bk1602-0aa12-0tp0	-	No
Operating System	sonicwall	6bk1602-0aa22-0tp0_firmware	< 2.7.0	Yes
Hardware	sonicwall	6bk1602-0aa22-0tp0	-	No
Operating System	sonicwall	6bk1602-0aa32-0tp0_firmware	< 2.7.0	Yes
Hardware	sonicwall	6bk1602-0aa32-0tp0	-	No
Operating System	sonicwall	6bk1602-0aa42-0tp0_firmware	< 2.7.0	Yes
Hardware	sonicwall	6bk1602-0aa42-0tp0	-	No
Operating System	sonicwall	6bk1602-0aa52-0tp0_firmware	< 2.7.0	Yes
Hardware	sonicwall	6bk1602-0aa52-0tp0	-	No
Application	oracle	agile_engineering_data_management	6.2.1.0	Yes
Application	oracle	agile_plm	9.3.6	Yes
Application	oracle	agile_plm_mcad_connector	3.6	Yes
Application	oracle	autovue_for_agile_product_lifecycle_management	21.0.2	Yes
Application	oracle	banking_deposits_and_lines_of_credit_servicing	2.12.0	Yes
Application	oracle	banking_enterprise_default_management	2.7.1	Yes
Application	oracle	banking_enterprise_default_management	2.12.0	Yes
Application	oracle	banking_loans_servicing	2.12.0	Yes
Application	oracle	banking_party_management	2.7.0	Yes
Application	oracle	banking_payments	14.5	Yes
Application	oracle	banking_platform	2.6.2	Yes
Application	oracle	banking_platform	2.7.1	Yes
Application	oracle	banking_platform	2.12.0	Yes
Application	oracle	banking_trade_finance	14.5	Yes
Application	oracle	banking_treasury_management	14.5	Yes
Application	oracle	business_intelligence	5.5.0.0.0	Yes
Application	oracle	communications_asap	7.3	Yes
Application	oracle	communications_billing_and_revenue_management	12.0.0.4	Yes
Application	oracle	communications_billing_and_revenue_management	12.0.0.5	Yes
Application	oracle	communications_cloud_native_core_console	1.9.0	Yes
Application	oracle	communications_cloud_native_core_network_function_cloud_native_environment	1.10.0	Yes
Application	oracle	communications_cloud_native_core_network_repository_function	1.15.0	Yes
Application	oracle	communications_cloud_native_core_network_repository_function	1.15.1	Yes
Application	oracle	communications_cloud_native_core_network_slice_selection_function	1.8.0	Yes
Application	oracle	communications_cloud_native_core_policy	1.15.0	Yes
Application	oracle	communications_cloud_native_core_security_edge_protection_proxy	1.7.0	Yes
Application	oracle	communications_cloud_native_core_service_communication_proxy	1.15.0	Yes
Application	oracle	communications_cloud_native_core_unified_data_repository	1.15.0	Yes
Application	oracle	communications_convergence	3.0.2.2.0	Yes
Application	oracle	communications_convergence	3.0.3.0	Yes
Application	oracle	communications_convergent_charging_controller	≤ 12.0.4.0.0	Yes
Application	oracle	communications_convergent_charging_controller	6.0.1.0.0	Yes
Application	oracle	communications_diameter_signaling_router	≤ 8.5.1.0	Yes
Application	oracle	communications_eagle_element_management_system	46.6	Yes
Application	oracle	communications_eagle_ftp_table_base_retrieval	4.5	Yes
Application	oracle	communications_element_manager	< 9.0	Yes
Application	oracle	communications_evolved_communications_application_server	7.1	Yes
Application	oracle	communications_interactive_session_recorder	6.3	Yes
Application	oracle	communications_interactive_session_recorder	6.4	Yes
Application	oracle	communications_ip_service_activator	7.4.0	Yes
Application	oracle	communications_messaging_server	8.1	Yes
Application	oracle	communications_network_charging_and_control	≤ 12.0.4.0.0	Yes
Application	oracle	communications_network_charging_and_control	6.0.1.0.0	Yes
Application	oracle	communications_network_integrity	7.3.6	Yes
Application	oracle	communications_performance_intelligence_center	10.4.0.3	Yes
Application	oracle	communications_pricing_design_center	12.0.0.4	Yes
Application	oracle	communications_pricing_design_center	12.0.0.5	Yes
Application	oracle	communications_service_broker	6.2	Yes
Application	oracle	communications_services_gatekeeper	7.0	Yes
Application	oracle	communications_session_report_manager	< 9.0	Yes
Application	oracle	communications_session_route_manager	< 9.0	Yes
Application	oracle	communications_unified_inventory_management	7.3.5	Yes
Application	oracle	communications_unified_inventory_management	7.4.1	Yes
Application	oracle	communications_unified_inventory_management	7.4.2	Yes
Application	oracle	communications_user_data_repository	12.4	Yes
Application	oracle	communications_webrtc_session_controller	7.2.0.0	Yes
Application	oracle	communications_webrtc_session_controller	7.2.1	Yes
Application	oracle	data_integrator	12.2.1.3.0	Yes
Application	oracle	data_integrator	12.2.1.4.0	Yes
Application	oracle	e-business_suite	12.2	Yes
Application	oracle	enterprise_manager_base_platform	13.4.0.0	Yes
Application	oracle	enterprise_manager_base_platform	13.5.0.0	Yes
Application	oracle	enterprise_manager_for_peoplesoft	13.4.1.1	Yes
Application	oracle	enterprise_manager_for_peoplesoft	13.5.1.1	Yes
Application	oracle	enterprise_manager_ops_center	12.4.0.0	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	≤ 8.1.1	Yes
Application	oracle	financial_services_model_management_and_governance	8.0.8.0.0	Yes
Application	oracle	financial_services_model_management_and_governance	8.1.0.0.0	Yes
Application	oracle	financial_services_model_management_and_governance	8.1.1.0.0	Yes
Application	oracle	flexcube_universal_banking	≤ 12.4	Yes
Application	oracle	flexcube_universal_banking	≤ 14.3.0	Yes
Application	oracle	flexcube_universal_banking	11.83.3	Yes
Application	oracle	flexcube_universal_banking	14.5	Yes
Application	oracle	health_sciences_empirica_signal	9.1.0.6	Yes
Application	oracle	health_sciences_empirica_signal	9.2.0.0	Yes
Application	oracle	health_sciences_inform	6.2.1.1	Yes
Application	oracle	health_sciences_inform	6.3.2.1	Yes
Application	oracle	health_sciences_inform	7.0.0.0	Yes
Application	oracle	health_sciences_information_manager	≤ 3.0.4	Yes
Application	oracle	healthcare_data_repository	8.1.1	Yes
Application	oracle	healthcare_foundation	≤ 7.3.0.4	Yes
Application	oracle	healthcare_master_person_index	5.0.1	Yes
Application	oracle	healthcare_translational_research	4.1.0	Yes
Application	oracle	healthcare_translational_research	4.1.1	Yes
Application	oracle	hospitality_suite8	8.13.0	Yes
Application	oracle	hospitality_suite8	8.14.0	Yes
Application	oracle	hospitality_token_proxy_service	19.2	Yes
Application	oracle	hyperion_bi\+	< 11.2.8.0	Yes
Application	oracle	hyperion_data_relationship_management	< 11.2.8.0	Yes
Application	oracle	hyperion_infrastructure_technology	< 11.2.8.0	Yes
Application	oracle	hyperion_planning	< 11.2.8.0	Yes
Application	oracle	hyperion_profitability_and_cost_management	< 11.2.8.0	Yes
Application	oracle	hyperion_tax_provision	< 11.2.8.0	Yes
Application	oracle	identity_management_suite	12.2.1.3.0	Yes
Application	oracle	identity_management_suite	12.2.1.4.0	Yes
Application	oracle	identity_manager_connector	9.1.0	Yes
Application	oracle	instantis_enterprisetrack	17.1	Yes
Application	oracle	instantis_enterprisetrack	17.2	Yes
Application	oracle	instantis_enterprisetrack	17.3	Yes
Application	oracle	insurance_data_gateway	1.0.1	Yes
Application	oracle	insurance_insbridge_rating_and_underwriting	≤ 5.6.0.0	Yes
Application	oracle	insurance_insbridge_rating_and_underwriting	5.2.0	Yes
Application	oracle	insurance_insbridge_rating_and_underwriting	5.6.1.0	Yes
Application	oracle	jdeveloper	12.2.1.4.0	Yes
Application	oracle	managed_file_transfer	12.2.1.3.0	Yes
Application	oracle	managed_file_transfer	12.2.1.4.0	Yes
Application	oracle	management_cloud_engine	1.5.0	Yes
Application	oracle	mysql_enterprise_monitor	≤ 8.0.29	Yes
Application	oracle	payment_interface	19.1	Yes
Application	oracle	payment_interface	20.3	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.58	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.59	Yes
Application	oracle	primavera_gateway	≤ 17.12.11	Yes
Application	oracle	primavera_gateway	≤ 18.8.13	Yes
Application	oracle	primavera_gateway	≤ 19.12.12	Yes
Application	oracle	primavera_gateway	≤ 20.12.7	Yes
Application	oracle	primavera_gateway	21.12.0	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	≤ 19.12.18.0	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	≤ 20.12.12.0	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	21.12.0.0	Yes
Application	oracle	primavera_unifier	18.8	Yes
Application	oracle	primavera_unifier	19.12	Yes
Application	oracle	primavera_unifier	20.12	Yes
Application	oracle	primavera_unifier	21.12	Yes
Application	oracle	retail_back_office	14.1	Yes
Application	oracle	retail_central_office	14.1	Yes
Application	oracle	retail_customer_insights	15.0.2	Yes
Application	oracle	retail_customer_insights	16.0.2	Yes
Application	oracle	retail_data_extractor_for_merchandising	15.0.2	Yes
Application	oracle	retail_data_extractor_for_merchandising	16.0.2	Yes
Application	oracle	retail_eftlink	16.0.3	Yes
Application	oracle	retail_eftlink	17.0.2	Yes
Application	oracle	retail_eftlink	18.0.1	Yes
Application	oracle	retail_eftlink	19.0.1	Yes
Application	oracle	retail_eftlink	20.0.1	Yes
Application	oracle	retail_eftlink	21.0.0	Yes
Application	oracle	retail_financial_integration	≤ 16.0.3	Yes
Application	oracle	retail_financial_integration	14.1.3.2	Yes
Application	oracle	retail_financial_integration	15.0.3.1	Yes
Application	oracle	retail_financial_integration	19.0.0	Yes
Application	oracle	retail_financial_integration	19.0.1	Yes
Application	oracle	retail_integration_bus	≤ 16.0.3	Yes
Application	oracle	retail_integration_bus	≤ 19.0.1.0	Yes
Application	oracle	retail_integration_bus	14.1.3	Yes
Application	oracle	retail_integration_bus	14.1.3.2	Yes
Application	oracle	retail_integration_bus	15.0.3.1	Yes
Application	oracle	retail_integration_bus	19.0.0	Yes
Application	oracle	retail_integration_bus	19.0.1	Yes
Application	oracle	retail_invoice_matching	15.0.3	Yes
Application	oracle	retail_invoice_matching	16.0.3	Yes
Application	oracle	retail_merchandising_system	16.0.3	Yes
Application	oracle	retail_merchandising_system	19.0.1	Yes
Application	oracle	retail_order_broker	16.0	Yes
Application	oracle	retail_order_broker	18.0	Yes
Application	oracle	retail_order_broker	19.1	Yes
Application	oracle	retail_order_management_system	19.5	Yes
Application	oracle	retail_point-of-service	14.1	Yes
Application	oracle	retail_predictive_application_server	14.1.3.46	Yes
Application	oracle	retail_predictive_application_server	15.0.3.115	Yes
Application	oracle	retail_predictive_application_server	16.0.3.240	Yes
Application	oracle	retail_price_management	13.2	Yes
Application	oracle	retail_price_management	14.0.4	Yes
Application	oracle	retail_price_management	14.1.3.0	Yes
Application	oracle	retail_price_management	15.0.3.0	Yes
Application	oracle	retail_price_management	16.0.3.0	Yes
Application	oracle	retail_returns_management	14.1	Yes
Application	oracle	retail_service_backbone	≤ 16.0.3	Yes
Application	oracle	retail_service_backbone	14.1.3	Yes
Application	oracle	retail_service_backbone	14.1.3.2	Yes
Application	oracle	retail_service_backbone	15.0.3.1	Yes
Application	oracle	retail_service_backbone	19.0.0	Yes
Application	oracle	retail_service_backbone	19.0.1	Yes
Application	oracle	retail_service_backbone	19.0.1.0	Yes
Application	oracle	retail_store_inventory_management	14.0.4.13	Yes
Application	oracle	retail_store_inventory_management	14.1.3.5	Yes
Application	oracle	retail_store_inventory_management	14.1.3.14	Yes
Application	oracle	retail_store_inventory_management	15.0.3.3	Yes
Application	oracle	retail_store_inventory_management	15.0.3.8	Yes
Application	oracle	retail_store_inventory_management	16.0.3.7	Yes
Application	oracle	siebel_ui_framework	≤ 21.12	Yes
Application	oracle	sql_developer	< 21.4.2	Yes
Application	oracle	taleo_platform	< 22.1	Yes
Application	oracle	utilities_framework	≤ 4.3.0.6.0	Yes
Application	oracle	utilities_framework	4.4.0.0.0	Yes
Application	oracle	utilities_framework	4.4.0.2.0	Yes
Application	oracle	utilities_framework	4.4.0.3.0	Yes
Application	oracle	webcenter_portal	12.2.1.3.0	Yes
Application	oracle	webcenter_portal	12.2.1.4.0	Yes
Application	oracle	webcenter_sites	12.2.1.3.0	Yes
Application	oracle	webcenter_sites	12.2.1.4.0	Yes
Application	oracle	weblogic_server	12.2.1.3.0	Yes
Application	oracle	weblogic_server	12.2.1.4.0	Yes
Application	oracle	weblogic_server	14.1.1.0.0	Yes

References

http://www.openwall.com/lists/oss-security/2021/12/19/1 Mailing List, Mitigation, Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf Third Party Advisory ([email protected])
https://logging.apache.org/log4j/2.x/security.html Release Notes, Vendor Advisory ([email protected])
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20211218-0001/ Third Party Advisory ([email protected])
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd Third Party Advisory ([email protected])
https://www.debian.org/security/2021/dsa-5024 Third Party Advisory ([email protected])
https://www.kb.cert.org/vuls/id/930724 Third Party Advisory, US Government Resource ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory ([email protected])
https://www.zerodayinitiative.com/advisories/ZDI-21-1541/ Third Party Advisory, VDB Entry ([email protected])
http://www.openwall.com/lists/oss-security/2021/12/19/1 Mailing List, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://logging.apache.org/log4j/2.x/security.html Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20211218-0001/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-5024 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.kb.cert.org/vuls/id/930724 Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.zerodayinitiative.com/advisories/ZDI-21-1541/ Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For apache's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.