Catch vulnerabilities in your projects, automatically on every pull request. Try Sonatype Lift for free. Install Lift

Vulnerability

CVE-2021-45105
CVSS Score 7.5 Critical

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

Not Recorded

Description

[CVE-2021-45105] Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not prot...

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. =================================================== The following information is provided by Sonatype Nexus Intelligence. Nexus Intelligence is the only security research service that performs "secondary expansion" to determine if newly discovered vulnerabilities are also present in other components. Learn more about Nexus Intelligence -- https://www.sonatype.com/products/intelligence =================================================== Explanation --------------------------------------------------- The `log4j-core` package is vulnerable to Denial of Service (DoS) due to Uncontrolled Recursion. The methods and classes listed below allow for recursive evaluation of lookups with user-supplied inputs. Remote attackers with control over `Thread Context Map` data can supply specially-crafted inputs containing a recursive lookup. This will result in the process terminating when the logging configuration uses a non-default `Pattern Layout` with a `Context Lookup`, leading to a DoS condition. *Vulnerable File(s) and Function(s)*: org/apache/logging/log4j/core/lookup/StrSubstitutor.class * replace() * substitute() org/apache/logging/log4j/core/config/AbstractConfiguration.class * initialize() * doConfigure() *Note:* The Attack Complexity of this vulnerability is still being discussed with the maintainers. We have deemed it High at this time due to the specific configuration necessary for the vulnerability to be exploited. Detection --------------------------------------------------- The application is vulnerable by using this component when the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`) Reference: https://logging.apache.org/log4j/2.x/security.html Recommendation --------------------------------------------------- We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Mitigating controls from the project advisory: ``` Implement one of the following mitigation techniques: Java 8 (or later) users should upgrade to release 2.17.0. Alternatively, this can be mitigated in configuration: In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC). Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input. ``` Reference: https://logging.apache.org/log4j/2.x/security.html Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.

Sign in and get help with:

  • Vulnerability details for your components
  • Affected components
  • Affected versions