Seal Security

CVE-2021-45105

Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.# Affected packagesOnly the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

8.5

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Affected Versions

org.apache.logging.log4j:log4j-core >= 2.4.0 < 2.12.3; org.apache.logging.log4j:log4j-core >= 2.13.0 < 2.17.0; org.apache.logging.log4j:log4j-core < 2.3.1; org.ops4j.pax.logging:pax-logging-log4j2 >= 1.8.0 < 1.9.2; org.ops4j.pax.logging:pax-logging-log4j2 >= 1.10.0 < 1.10.9; org.ops4j.pax.logging:pax-logging-log4j2 >= 1.11.0 < 1.11.12; org.ops4j.pax.logging:pax-logging-log4j2 >= 2.0.0 < 2.0.13

Severity

High

Ecosystem

Publish Date

December 18, 2021

Modified Date

May 9, 2025