Catch vulnerabilities in your projects, automatically on every pull request. Try Sonatype Lift for free. Install Lift


CVSS Score 7.5 Critical

Attack Vector


Attack Complexity


Privileges Required


User Interaction




Confidentiality Impact


Integrity Impact


Availability Impact


CVSS Vector



Not Recorded


[CVE-2021-45105] Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not prot...

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. =================================================== The following information is provided by Sonatype Nexus Intelligence. Nexus Intelligence is the only security research service that performs "secondary expansion" to determine if newly discovered vulnerabilities are also present in other components. Learn more about Nexus Intelligence -- =================================================== Explanation --------------------------------------------------- The `log4j-core` package is vulnerable to Denial of Service (DoS) due to Uncontrolled Recursion. The methods and classes listed below allow for recursive evaluation of lookups with user-supplied inputs. Remote attackers with control over `Thread Context Map` data can supply specially-crafted inputs containing a recursive lookup. This will result in the process terminating when the logging configuration uses a non-default `Pattern Layout` with a `Context Lookup`, leading to a DoS condition. *Vulnerable File(s) and Function(s)*: org/apache/logging/log4j/core/lookup/StrSubstitutor.class * replace() * substitute() org/apache/logging/log4j/core/config/AbstractConfiguration.class * initialize() * doConfigure() *Note:* The Attack Complexity of this vulnerability is still being discussed with the maintainers. We have deemed it High at this time due to the specific configuration necessary for the vulnerability to be exploited. Detection --------------------------------------------------- The application is vulnerable by using this component when the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`) Reference: Recommendation --------------------------------------------------- We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Mitigating controls from the project advisory: ``` Implement one of the following mitigation techniques: Java 8 (or later) users should upgrade to release 2.17.0. Alternatively, this can be mitigated in configuration: In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC). Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input. ``` Reference: Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.

Sign in and get help with:

  • Vulnerability details for your components
  • Affected components
  • Affected versions