Uncontrolled Recursion in org.apache.logging.log4j:log4j-core

CVE-2021-45105

org.apache.logging.log4j:log4j-core
org.ops4j.pax.logging:pax-logging-log4j2

Medium

5.9/10

Summary

Apache Log4j2 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. Only the log4j-core package is directly affected by this vulnerability. This issue affects org.apache.logging.log4j:log4j-core versions 2.0-alpha1 through 2.3.0, 2.4.0 through 2.12.2, and 2.13.0 through 2.16.0, and the package org.ops4j.pax.logging:pax-logging-log4j2 versions 1.8.0 through 1.9.1, 1.10.1 through 1.10.8, 1.11.0 through 1.11.12, and 2.0.0 through 2.0.12.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-674 - Uncontrolled Recursion

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

References

Advisory Timeline

Published Dec 18, 2021

Uncontrolled Recursion in org.apache.logging.log4j:log4j-core

CVE-2021-45105

Summary

CWE-674 - Uncontrolled Recursion

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS