4.3
CVSSv2

CVE-2021-45105

Published: 18/12/2021 Updated: 30/12/2021
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Vulnerability Summary

Apache Log4j2 versions 2.0-alpha1 up to and including 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache log4j

netapp cloud manager -

debian debian linux 10.0

debian debian linux 11.0

sonicwall email security

sonicwall network security manager

sonicwall web application firewall

sonicwall 6bk1602-0aa12-0tp0_firmware

sonicwall 6bk1602-0aa22-0tp0_firmware

sonicwall 6bk1602-0aa32-0tp0_firmware

sonicwall 6bk1602-0aa42-0tp0_firmware

sonicwall 6bk1602-0aa52-0tp0_firmware

Vendor Advisories

Debian Bug report logs - #1001891 apache-log4j2: CVE-2021-45105: Certain strings can cause infinite recursion Package: src:apache-log4j2; Maintainer for src:apache-log4j2 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 18 Dec 2 ...
It was found that Apache Log4j2, a Logging Framework for Java, did not protect from uncontrolled recursion from self-referential lookups When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input dat ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-479842: Apache Log4j Vulnerabilities - Impact to Siemens Energy Sensformer (Platform, Basic and Advanced) Publication Date: 2021-12-21 Last Update: 2021-12-21 Current Version: 10 CVSS v31 Base Score: 100 SUMMARY ======= On 2021-12-09, a vulnerability in Apach ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-501673: Apache Log4j Denial of Service Vulnerability (CVE-2021-45105) - Impact to Siemens Products Publication Date: 2021-12-19 Last Update: 2021-12-19 Current Version: 10 CVSS v31 Base Score: 75 SUMMARY ======= Apache Log4j2 versions 20-alpha1 through 216 ...

Github Repositories

Showcase log4j vulnerability Updates 2021-12-20: added working exampele for DoS based on log4j 2160 This repo is for educational purposes I do neither endorse nor encourage any mailicious use of this repo It requires a Kubernetes environment to run the app and the tests Credits go to Eden Federman and Christophe Tafani-Dereeper, Tejas Nagchandi their repos/posts gave me

Remove-Log4JVulnerabilityClass- Log4J vulnerability Script to remove the "JndiLookupClass" from JAR-files SCRIPTS: There is two diffent type of PS scripts Output examles are add beside the scripts Remove-Log4J_JndiLookupClass-PSv5ps1 (Outdated) This script can only run locally on a computer Remove-Log4J_JndiLookupClassRemotely-PSv5ps1 This script can run locally

Log4j_dos_CVE-2021-45105 Log4j_dos_CVE-2021-45105 Poc ${${::-${::-$${::-j}}}} Reference issuesapacheorg/jira/browse/LOG4J2-3230

CVE-2021-45105 Replicating CVE-2021-45105

说明 about log4j2 dos exploit log4j2 dos 漏洞利用脚本 CVE-2021-45105利用脚本 利用方式 how to use English: Log4j2_dospy -u <url> -m <method> -d <params> -H <header> -l <loop> -t <thread> -u,--url attack target -m,--method http method, only get and post default is get

- IMPORTANT: this project is affected by the CVE-2021-45105 vulnerability Click & Buy Simulación de compra y venta online Reportar un bug · Solicitar una nueva funcionalidad Tabla de contenidos Acerca del proyecto Tecnologías

henlo_there bitly/x0o12 If you're reading this file, then you have been effected by the log4j vulnerability (CVE-2021-45105) Next steps loggingapacheorg/log4j/2x/securityhtml

Sample Log4j2 vulnerable application (CVE-2021-45105) Versions Affected: all versions from 20-beta9 to 2160 This application is based on Spring Boot web application vulnerable to CVE-2021-45105 It uses Log4j 2160 Running the application Run it: Import the project in Java IDE as a maven project Run CVEMainApplicationjava as a spring boot app

This elasticsearch image v7102 is patched against following log4j vulnerabilities: CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 Since the only two latest versions 7162 and 6822 of elasticsearch were patched by vendor, but numerous products use exclusively interim releases (ie graylog), we've decided to release a patched image, although is the image according to e

Choose your own SIEM adventure Repo of configs for the three major SIEMs Blog posts: Elastic Graylog Splunk Security notes Default password is set to Changem123! Docker-composes v2X are for development ONLY and are NOT secure for production Config direcotry: conf/ conf/ansible/* - This directory contains all the configs for the Ansible playbooks and a manual install con

Sourced from githubcom/N-able/CustomMonitoring/tree/master/Vulnerability%20-%20CVE-2021-44228%20(Log4j) Name: get-log4jrcevulnerabilityps1 Version: 0243 (23rd December 2021) Author: Prejay Shah (Doherty Associates) Thanks: Christopher Bledsoe (IPM Computers) for some bugfixes, Robby Swartenbroekx (b-Inside) for some ideas, Arctic Wolf for coming up with a way to de

appsecutil This repo contains utility to pull AppSec data from Dynatrace using REST API In order to use this utility, you would need 2 items: Name Description Dynatrace tenant url Managed {your-domain}/e/{your-environment-id} SaaS {your-environment-id}livedynatracecom API Token You need the Write configuration (WriteConfig) permission assigned to y

Patching the Log4j vulnerability in Gluu Server Gluu Server versions covered: Gluu v4, v3 ( from 315 to 318 ), Community Edition, Cloud Native and Snapcraft Security Vulnerabilities: CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228 Log4j library versions affected: 216 and earlier   Overview: On December 17th, Apache announced critical vulnerabilities that would all

Log4shell vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105) This repo contains operational information regarding the Log4shell vulnerability in the Log4j logging library Especially CVE-2021-44228 / CVE-2021-45046 and also covers CVE-2021-4104 / CVE-2021-45105 For additional information see: NCSC-NL advisory MITRE CSIRT network members advisories

log4j-scout A simple program that looks for vulnerable instances of log4j on the file system Currently, only compatible with Linux based systems, it can be used to quickly find vulnerable libraries The underlying code analyses file hashes All Log4j 2x versions and their respective metadata are available in: data/log4j_vulnerabilitiesyml See more about the available detect

ByeLog4Shell Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell Description A vulnerability impacting Apache Log4j versions 20 through 2141 was disclosed on the project’s Github on December 9, 2021 The flaw has been dubbed “Log4Shell,”, and has the highest possible severity rating of 10 Software made or managed by the Apache Softwa

Log4shell vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105) This repo contains operational information regarding the Log4shell vulnerability in the Log4j logging library Especially CVE-2021-44228 / CVE-2021-45046 and also covers CVE-2021-4104 / CVE-2021-45105 For additional information see: NCSC-NL advisory MITRE CSIRT network members advisories

WebApp Hardware Bridge Security Warning Version <= 0130 are known to be affected by log44 vulnerabilities (CVE-2021-44228, CVE-2021-45105, CVE-2021-45046) Existing users are strongly recommended to update to 0140 or above as soon as possible Introduction WebApp Hardware Bridge (succeeder of "Chrome Hardware Bridge / Chrome Direct Print") Make it possible

Introduction This project is intended to debunk two common misbeliefs regarding the impact of the recently discovered Log4j 2x vulnerabilities on Java applications, as reported by the following CVE records: CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 The first two, famously nicknamed Log4Shell, enable Remote-Code-Execution, while the last one allows a Denial-of-Service Mis

Log4j RCE Research Lab A basic research lab to learn more about Log4Shell: CVE-2021-45105 CVE-2021-45046 CVE-2021-44228 Used By Microsoft Sentinel To-Go! CVE-2021-44228-Log4Shell Demo Deploy LDAP Reference & Web Servers Clone Repo sudo su git clone githubcom/zeroonesa/ctf_log4jshell Run Docker Compose File cd ctf_log

Log4jSherlock Log4jSherlock 08520211218 Log4j Scanner coded in Powershell, so you can run it in windows! This tool scans for JAR, WAR, EAR, JPI, HPI that contain the effected JndiLookupclass even in nested files Scans nested files searches for the effected JNDI class Scans for the following CVEs CVE-2021-44228 Apache Log4j2 20-beta9 through 2121 and 2130 through 21

Log4j Vulnerabilities Mass Scanner Automated scan thousands hosts in your Active Directory domain in minutes, for Log4j vulnerabilities with multithreading mass scanner and detailed report Supported CVE(s): CVE-2021-4104, CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105 Details: Get enabled servers list from Active Directory Multithreading scan all doamain host

Log4J-Mitigation-CVE-2021-44228,CVE-2021-45046,CVE-2021-45105 Update - 17-Dec-2021 Overnight, it was disclosed by Apache that Log4j version 216 is also vulnerable by way of a Denial of Service attack with the impact being a full application crash, the severity for this is classified as High (75) CVE-2021-45105 has been issued, and a new fixed version (217) has been p

Log4Shell Scanner Log4Shell Scanner (log4shell-scanner-rs) is a CLI application written in Rust It scans the file system to find Java applications that may be vulnerable to Log4Shell related vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832) Detail of Log4Shell vulnerabilities affecting Log4j2: CVE Severity Fix version (min Java version)

Log4shell vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105) This repo contains operational information regarding the Log4shell vulnerability in the Log4j logging library Especially CVE-2021-44228 / CVE-2021-45046 and also covers CVE-2021-4104 / CVE-2021-45105 For additional information see: NCSC-NL advisory MITRE CSIRT network members advisories

Apache JMeter The JMeter application is open source software to load test functional behavior and measure performance Tag-History 542-20211221, latest (Dockerfile) from: alpine:3150 updated: Apache jMeter v542 updated: java-json 20211205 updated: MySQL-connector v8027 vulnerable updates: lib/httpclient 4513 (GHSA-7r82-7xv7-xcpj,CVE-2020-13956) lib/jackson-d

Supplier Product Version (see Status) Status CVE-2021-4104 Status CVE-2021-44228 Status CVE-2021-45046 Status CVE-2021-45105 Notes Links

Shulkr Shulkr is a tool that decompiles multiple versions of Minecraft and commits each version to Git Warning: You CANNOT publish any code generated by this tool For more info, see the usage guidelines Version 033 fixed a major bug with the commit generation It is recommended to remove all commits create before this and recreate them with the patch No Log4j Vulnerabili

New Open Source Projects Table of Contents 2021: Week 50 (2021/12/13-2021/12/19) 2021: Week 49 (2021/12/06-2021/12/12) 2021: Week 48 (2021/11/29-2021/12/05) 2021: Week 50 (2021/12/13-2021/12/19) Log4j Scan - A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228 Log4j Affected Db - A community sourced list of log4j-affected software Ambiguous

Log4J-Mitigation-CVE-2021-44228,CVE-2021-45046,CVE-2021-45105 Update - 17-Dec-2021 Overnight, it was disclosed by Apache that Log4j version 216 is also vulnerable by way of a Denial of Service attack with the impact being a full application crash, the severity for this is classified as High (75) CVE-2021-45105 has been issued, and a new fixed version (217) has been p

log4shell-hunting As the log4j "sawdust" settles, many Organizations may want to take further proactive steps to hunt for current or prior abuse of cve-2021-44228 in their environment This resource takes a threat hunting approach not to only replace identification of attempted attacks on the network; a role that is ideally primarily fulfilled by existing security pro

Log4Shell Vulnerable Java App Paul McCarty January 10, 2022 based on the Jasmin project CVE's in scope for this document: CVE-2021-44228 CVE-2021-4104 CVE-2021-44832 CVE-2021-45046 CVE-2021-45105

CVE-2021-44228-log4j discovery (Download the MKP package) This plugin discovers vulnerable files for the CVE-2021-44228-log4j issue To discover this files it uses the CVE-2021-44228-Scanner from logpresso The scanner (and so the plugin) can discover the following log4j issues CVE-2021-44228 CVE-2021-4104 CVE-2021-42550 CVE-2021-45105 CVE-2021-45046 CVE-2021-44832 RCE Note: I

CVE-2021-44228-log4j discovery (Download the MKP package) This plugin discovers vulnerable files for the CVE-2021-44228-log4j issue To discover this files it uses the CVE-2021-44228-Scanner from logpresso The scanner (and so the plugin) can discover the following log4j issues CVE-2021-44228 CVE-2021-4104 CVE-2021-42550 CVE-2021-45105 CVE-2021-45046 CVE-2021-44832 RCE Note: I

Log4J-Mitigation-CVE-2021-44228,CVE-2021-45046,CVE-2021-45105,CVE-2021-44832 Please keep an eye on this page as Apache Log4j team is disclosing a lot more CVE and fixing security issues very rapidly Update - 28-Dec-2021 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration Fixed in Log4j 2171 (Java 8), 2124 (Java 7) and 23

New Open Source Projects Table of Contents 2021: Week 50 (2021/12/13-2021/12/19) 2021: Week 49 (2021/12/06-2021/12/12) 2021: Week 48 (2021/11/29-2021/12/05) 2021: Week 50 (2021/12/13-2021/12/19) Log4j Scan - A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228 Log4j Affected Db - A community sourced list of log4j-affected software Ambiguous

Recent Articles

Log4j Vulnerabilities: Attack Insights
Symantec Threat Intelligence Blog • Siddhesh Chandrayan • 23 Dec 2022

Symantec data shows variation and scope of attacks.

Posted: 23 Dec, 20214 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinLog4j Vulnerabilities: Attack InsightsSymantec data shows variation and scope of attacks.Apache Log4j is a Java-based logging utility. The library’s main role is to log information related to security and performance to make error debugging easier and to enable applications to run smoothly. The library is part of the Apache Logging Services, a project of the A...

Four million outdated Log4j downloads were served from Apache Maven Central alone despite vuln publicity blitz
The Register • Gareth Corfield • 11 Jan 2022

Get our weekly newsletter It's not as though folks haven't been warned about this

There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository.
That company, Sonatype, said it had seen four million downloads of exploitable Log4j versions from the repository alone between 10 December and the present day, out of a total of more than 10 million downloads over those past four weeks.
Tracked as CVE-2021...

‘Hack DHS’ bug bounty program expands to Log4j security flaws
BleepingComputer • Sergiu Gatlan • 22 Dec 2021

The Department of Homeland Security (DHS) has announced that the 'Hack DHS' program is now also open to bug bounty hunters willing to track down DHS systems impacted by Log4j vulnerabilities.
"In response to the recently discovered log4j vulnerabilities, @DHSgov  is expanding the scope of our new #HackDHS bug bounty program and including additional incentives to find and patch log4j-related vulnerabilities in our systems," 
DHS Secretary Alejandro N. Mayorkas.
"In partnersh...

Third Log4J Bug Can Trigger DoS; Apache Issues Patch
Threatpost • Lisa Vaas • 20 Dec 2021

No, you’re not seeing triple: On Friday, Apache released yet another patch – version 2.17 – for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug.
Trouble comes in threes, and this is the third one for log4j. The latest bug isn’t a variant of the Log4Shell remote-code execution (RCE) bug that’s plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to t...

Bad things come in threes: Apache reveals another Log4J bug
The Register • Simon Sharwood, APAC Editor • 19 Dec 2021

Get our weekly newsletter Third major fix in ten days is an infinite recursion flaw rated 7.5/10

The Apache Software Foundation (ASF) has revealed a third bug in its Log4 Java-based open-source logging library Log4j.
CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2.17.0 of Log4j.
That’s the third new version of the tool in the last ten days.
In case you haven’t been paying attention, version 2.15.0 was created to fix CVE-2021-44228, the critical-rated and trivial-to-exploit remot...

Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS
BleepingComputer • Ax Sharma • 18 Dec 2021

All set for the weekend? Not so fast. Yesterday, BleepingComputer 
all the log4j and logback CVEs known thus far.
Ever since the critical log4j zero-day saga started last week, security experts have time and time again recommended version 2.16 as the safest release to be on.
That changes today with version 2.17.0 out that fixes a seemingly-minor, but 'High' severity Denial of Service (DoS) vulnerability that affects log4j 2.16.
And, yes, this DoS bug comes with yet...

FTC warns companies to secure consumer data from Log4J attacks
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

The US Federal Trade Commission (FTC) has warned today that it will go after any US company that fails to protect its customers' data against ongoing Log4J attacks.
"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the US government agency 
.
"The duty to take reasonable steps to mitigate known software vulnerabilit...

CISA releases Apache Log4j scanner to find vulnerable apps
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

The Cybersecurity and Infrastructure Security Agency (CISA) has
the release of a scanner for identifying web services impacted by two Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046.
"log4j-scanner is a project derived from other members of the open-source community by CISA's Rapid Action Force team to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities," the cybersecurity agency