CVE-2021-45105 : What You Need to Know
Learn about CVE-2021-45105 impacting Apache Log4j2 versions 2.0-alpha1 to 2.16.0, allowing denial of service attacks. Find mitigation steps and patching guidance here.
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 have a vulnerability that allows uncontrolled recursion, potentially leading to a denial of service. This CVE was independently discovered by security researchers from Akamai Technologies and Trend Micro Research.
Understanding CVE-2021-45105
Apache Log4j2 vulnerability affecting versions prior to 2.17.0.
What is CVE-2021-45105?
- Apache Log4j2 versions 2.0-alpha1 through 2.16.0 lack protection from uncontrolled recursion, enabling attackers to exploit Thread Context Map data and trigger a denial of service.
The Impact of CVE-2021-45105
- The vulnerability poses a high level of risk due to its potential for denial of service attacks.
Technical Details of CVE-2021-45105
Apache Log4j2 vulnerability details.
Vulnerability Description
- Versions 2.0-alpha1 through 2.16.0 of Apache Log4j2 are susceptible to uncontrolled recursion, allowing attackers to craft strings leading to denial of service. This issue is resolved post version 2.17.0.
Affected Systems and Versions
- Affected versions include 2.0-alpha1 through 2.16.0, excluding 2.12.3 and 2.3.1.
Exploitation Mechanism
- Attackers exploit the vulnerability by leveraging Thread Context Map data to cause denial of service.
Mitigation and Prevention
Protecting against CVE-2021-45105.
Immediate Steps to Take
- Upgrade to Log4j 2.17.0 if using Java 8 or later.
- Modify logging configurations to replace vulnerable Context Lookups with safer patterns like %X or %mdc.
- Remove Context Lookups originating from external sources like HTTP headers.
Long-Term Security Practices
- Regularly update Log4j to the latest version to patch vulnerabilities.
Patching and Updates
- Patch the Log4j library to version 2.17.0 to mitigate the CVE-2021-45105 vulnerability.