VIR Vulnerability Intelligence Relay

CVE-2021-45105

medium
Published 2021-12-18 ยท Modified 2026-05-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
5.9

Description

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Predictions

Exploit likelihood
69%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact
suse SUSE Affected 1 release
VersionStatusFixed in
โ€” Affected โ€”
debian Debian Mixed 7 releases
VersionStatusFixed in
trixie Fixed 2.17.0-1
sid Fixed 2.17.0-1
forky Fixed 2.17.0-1
bullseye Fixed 2.17.0-1~deb11u1
bookworm Fixed 2.17.0-1
11.0 Affected โ€”
10.0 Affected โ€”

Package impact
EcosystemPackageVulnerableFixed
java Mavenorg.apache.logging.log4j:log4j-core>=2.4.0,<2.12.32.12.3
java Mavenorg.apache.logging.log4j:log4j-core>=2.13.0,<2.17.02.17.0
java Mavenorg.apache.logging.log4j:log4j-core<2.3.12.3.1
java Mavenorg.ops4j.pax.logging:pax-logging-log4j2>=1.8.0,<1.9.21.9.2
java Mavenorg.ops4j.pax.logging:pax-logging-log4j2>=1.10.0,<1.10.91.10.9
java Mavenorg.ops4j.pax.logging:pax-logging-log4j2>=1.11.0,<1.11.121.11.12
java Mavenorg.ops4j.pax.logging:pax-logging-log4j2>=2.0.0,<2.0.132.0.13

Application impact
VendorProductVersionsFixed
apache apachelog4j{"startIncluding":"2.0","endExcluding":"2.3.1"}2.3.1
apache apachelog4j{"startIncluding":"2.4","endExcluding":"2.12.3"}2.12.3
apache apachelog4j{"startIncluding":"2.13.0","endIncluding":"2.16.0"}
netappcloud_manager-
sonicwallemail_security{"endIncluding":"10.0.12"}
sonicwallnetwork_security_manager{"startIncluding":"2.0","endExcluding":"3.0"}3.0
sonicwallweb_application_firewall{"startIncluding":"3.0.0","endExcluding":"3.1.0"}3.1.0
sonicwall6bk1602-0aa12-0tp0-
sonicwall6bk1602-0aa22-0tp0-
sonicwall6bk1602-0aa32-0tp0-
sonicwall6bk1602-0aa42-0tp0-
sonicwall6bk1602-0aa52-0tp0-
oracle oracleagile_engineering_data_management6.2.1.0
oracle oracleagile_plm9.3.6
oracle oracleagile_plm_mcad_connector3.6
oracle oracleautovue_for_agile_product_lifecycle_management21.0.2
oracle oraclebanking_deposits_and_lines_of_credit_servicing2.12.0
oracle oraclebanking_enterprise_default_management2.7.1
oracle oraclebanking_enterprise_default_management2.12.0
oracle oraclebanking_loans_servicing2.12.0
oracle oraclebanking_party_management2.7.0
oracle oraclebanking_payments14.5
oracle oraclebanking_platform2.6.2
oracle oraclebanking_platform2.7.1
oracle oraclebanking_platform2.12.0
oracle oraclebanking_trade_finance14.5
oracle oraclebanking_treasury_management14.5
oracle oraclebusiness_intelligence5.5.0.0.0
oracle oraclecommunications_asap7.3
oracle oraclecommunications_billing_and_revenue_management12.0.0.4
oracle oraclecommunications_billing_and_revenue_management12.0.0.5
oracle oraclecommunications_cloud_native_core_console1.9.0
oracle oraclecommunications_cloud_native_core_network_function_cloud_native_environment1.10.0
oracle oraclecommunications_cloud_native_core_network_repository_function1.15.0
oracle oraclecommunications_cloud_native_core_network_repository_function1.15.1
oracle oraclecommunications_cloud_native_core_network_slice_selection_function1.8.0
oracle oraclecommunications_cloud_native_core_policy1.15.0
oracle oraclecommunications_cloud_native_core_security_edge_protection_proxy1.7.0
oracle oraclecommunications_cloud_native_core_service_communication_proxy1.15.0
oracle oraclecommunications_cloud_native_core_unified_data_repository1.15.0
oracle oraclecommunications_convergence3.0.2.2.0
oracle oraclecommunications_convergence3.0.3.0
oracle oraclecommunications_convergent_charging_controller{"startIncluding":"12.0.1.0.0","endIncluding":"12.0.4.0.0"}
oracle oraclecommunications_convergent_charging_controller6.0.1.0.0
oracle oraclecommunications_diameter_signaling_router{"startIncluding":"8.3.0.0","endIncluding":"8.5.1.0"}
oracle oraclecommunications_eagle_element_management_system46.6
oracle oraclecommunications_eagle_ftp_table_base_retrieval4.5
oracle oraclecommunications_element_manager{"endExcluding":"9.0"}9.0
oracle oraclecommunications_evolved_communications_application_server7.1
oracle oraclecommunications_interactive_session_recorder6.3
oracle oraclecommunications_interactive_session_recorder6.4
oracle oraclecommunications_ip_service_activator7.4.0
oracle oraclecommunications_messaging_server8.1
oracle oraclecommunications_network_charging_and_control{"startIncluding":"12.0.1.0.0","endIncluding":"12.0.4.0.0"}
oracle oraclecommunications_network_charging_and_control6.0.1.0.0
oracle oraclecommunications_network_integrity7.3.6
oracle oraclecommunications_performance_intelligence_center10.4.0.3
oracle oraclecommunications_pricing_design_center12.0.0.4
oracle oraclecommunications_pricing_design_center12.0.0.5
oracle oraclecommunications_service_broker6.2
oracle oraclecommunications_services_gatekeeper7.0
oracle oraclecommunications_session_report_manager{"endExcluding":"9.0"}9.0
oracle oraclecommunications_session_route_manager{"endExcluding":"9.0"}9.0
oracle oraclecommunications_unified_inventory_management7.3.5
oracle oraclecommunications_unified_inventory_management7.4.1
oracle oraclecommunications_unified_inventory_management7.4.2
oracle oraclecommunications_user_data_repository12.4
oracle oraclecommunications_webrtc_session_controller7.2.0.0
oracle oraclecommunications_webrtc_session_controller7.2.1
oracle oracledata_integrator12.2.1.3.0
oracle oracledata_integrator12.2.1.4.0
oracle oraclee-business_suite12.2
oracle oracleenterprise_manager_base_platform13.4.0.0
oracle oracleenterprise_manager_base_platform13.5.0.0
oracle oracleenterprise_manager_for_peoplesoft13.4.1.1
oracle oracleenterprise_manager_for_peoplesoft13.5.1.1
oracle oracleenterprise_manager_ops_center12.4.0.0
oracle oraclefinancial_services_analytical_applications_infrastructure{"startIncluding":"8.0.7","endIncluding":"8.1.1"}
oracle oraclefinancial_services_model_management_and_governance8.0.8.0.0
oracle oraclefinancial_services_model_management_and_governance8.1.0.0.0
oracle oraclefinancial_services_model_management_and_governance8.1.1.0.0
oracle oracleflexcube_universal_banking{"startIncluding":"12.1.0","endIncluding":"12.4"}
oracle oracleflexcube_universal_banking{"startIncluding":"14.0.0","endIncluding":"14.3.0"}
oracle oracleflexcube_universal_banking11.83.3
oracle oracleflexcube_universal_banking14.5
oracle oraclehealth_sciences_empirica_signal9.1.0.6
oracle oraclehealth_sciences_empirica_signal9.2.0.0
oracle oraclehealth_sciences_inform6.2.1.1
oracle oraclehealth_sciences_inform6.3.2.1
oracle oraclehealth_sciences_inform7.0.0.0
oracle oraclehealth_sciences_information_manager{"startIncluding":"3.0.1","endIncluding":"3.0.4"}
oracle oraclehealthcare_data_repository8.1.1
oracle oraclehealthcare_foundation{"startIncluding":"7.3.0.1","endIncluding":"7.3.0.4"}
oracle oraclehealthcare_master_person_index5.0.1
oracle oraclehealthcare_translational_research4.1.0
oracle oraclehealthcare_translational_research4.1.1
oracle oraclehospitality_suite88.13.0
oracle oraclehospitality_suite88.14.0
oracle oraclehospitality_token_proxy_service19.2
oracle oraclehyperion_bi\+{"endExcluding":"11.2.8.0"}11.2.8.0
oracle oraclehyperion_data_relationship_management{"endExcluding":"11.2.8.0"}11.2.8.0
oracle oraclehyperion_infrastructure_technology{"endExcluding":"11.2.8.0"}11.2.8.0
oracle oraclehyperion_planning{"endExcluding":"11.2.8.0"}11.2.8.0
oracle oraclehyperion_profitability_and_cost_management{"endExcluding":"11.2.8.0"}11.2.8.0
oracle oraclehyperion_tax_provision{"endExcluding":"11.2.8.0"}11.2.8.0
oracle oracleidentity_management_suite12.2.1.3.0
oracle oracleidentity_management_suite12.2.1.4.0
oracle oracleidentity_manager_connector9.1.0
oracle oracleinstantis_enterprisetrack17.1
oracle oracleinstantis_enterprisetrack17.2
oracle oracleinstantis_enterprisetrack17.3
oracle oracleinsurance_data_gateway1.0.1
oracle oracleinsurance_insbridge_rating_and_underwriting{"startIncluding":"5.4","endIncluding":"5.6.0.0"}
oracle oracleinsurance_insbridge_rating_and_underwriting5.2.0
oracle oracleinsurance_insbridge_rating_and_underwriting5.6.1.0
oracle oraclejdeveloper12.2.1.4.0
oracle oraclemanaged_file_transfer12.2.1.3.0
oracle oraclemanaged_file_transfer12.2.1.4.0
oracle oraclemanagement_cloud_engine1.5.0
oracle oraclemysql_enterprise_monitor{"endIncluding":"8.0.29"}
oracle oraclepayment_interface19.1
oracle oraclepayment_interface20.3
oracle oraclepeoplesoft_enterprise_peopletools8.58
oracle oraclepeoplesoft_enterprise_peopletools8.59
oracle oracleprimavera_gateway{"startIncluding":"17.12.0","endIncluding":"17.12.11"}
oracle oracleprimavera_gateway{"startIncluding":"18.8.0","endIncluding":"18.8.13"}
oracle oracleprimavera_gateway{"startIncluding":"19.12.0","endIncluding":"19.12.12"}
oracle oracleprimavera_gateway{"startIncluding":"20.12.0","endIncluding":"20.12.7"}
oracle oracleprimavera_gateway21.12.0
oracle oracleprimavera_p6_enterprise_project_portfolio_management{"startIncluding":"19.12.0.0","endIncluding":"19.12.18.0"}
oracle oracleprimavera_p6_enterprise_project_portfolio_management{"startIncluding":"20.12.0.0","endIncluding":"20.12.12.0"}
oracle oracleprimavera_p6_enterprise_project_portfolio_management21.12.0.0
oracle oracleprimavera_unifier18.8
oracle oracleprimavera_unifier19.12
oracle oracleprimavera_unifier20.12
oracle oracleprimavera_unifier21.12
oracle oracleretail_back_office14.1
oracle oracleretail_central_office14.1
oracle oracleretail_customer_insights15.0.2
oracle oracleretail_customer_insights16.0.2
oracle oracleretail_data_extractor_for_merchandising15.0.2
oracle oracleretail_data_extractor_for_merchandising16.0.2
oracle oracleretail_eftlink16.0.3
oracle oracleretail_eftlink17.0.2
oracle oracleretail_eftlink18.0.1
oracle oracleretail_eftlink19.0.1
oracle oracleretail_eftlink20.0.1
oracle oracleretail_eftlink21.0.0
oracle oracleretail_financial_integration{"startIncluding":"16.0.1","endIncluding":"16.0.3"}
oracle oracleretail_financial_integration14.1.3.2
oracle oracleretail_financial_integration15.0.3.1
oracle oracleretail_financial_integration19.0.0
oracle oracleretail_financial_integration19.0.1
oracle oracleretail_integration_bus{"startIncluding":"16.0.1","endIncluding":"16.0.3"}
oracle oracleretail_integration_bus{"startIncluding":"19.0.0","endIncluding":"19.0.1.0"}
oracle oracleretail_integration_bus14.1.3
oracle oracleretail_integration_bus14.1.3.2
oracle oracleretail_integration_bus15.0.3.1
oracle oracleretail_integration_bus19.0.0
oracle oracleretail_integration_bus19.0.1
oracle oracleretail_invoice_matching15.0.3
oracle oracleretail_invoice_matching16.0.3
oracle oracleretail_merchandising_system16.0.3
oracle oracleretail_merchandising_system19.0.1
oracle oracleretail_order_broker16.0
oracle oracleretail_order_broker18.0
oracle oracleretail_order_broker19.1
oracle oracleretail_order_management_system19.5
oracle oracleretail_point-of-service14.1
oracle oracleretail_predictive_application_server14.1.3.46
oracle oracleretail_predictive_application_server15.0.3.115
oracle oracleretail_predictive_application_server16.0.3.240
oracle oracleretail_price_management13.2
oracle oracleretail_price_management14.0.4
oracle oracleretail_price_management14.1.3.0
oracle oracleretail_price_management15.0.3.0
oracle oracleretail_price_management16.0.3.0
oracle oracleretail_returns_management14.1
oracle oracleretail_service_backbone{"startIncluding":"16.0.1","endIncluding":"16.0.3"}
oracle oracleretail_service_backbone14.1.3
oracle oracleretail_service_backbone14.1.3.2
oracle oracleretail_service_backbone15.0.3.1
oracle oracleretail_service_backbone19.0.0
oracle oracleretail_service_backbone19.0.1
oracle oracleretail_service_backbone19.0.1.0
oracle oracleretail_store_inventory_management14.0.4.13
oracle oracleretail_store_inventory_management14.1.3.5
oracle oracleretail_store_inventory_management14.1.3.14
oracle oracleretail_store_inventory_management15.0.3.3
oracle oracleretail_store_inventory_management15.0.3.8
oracle oracleretail_store_inventory_management16.0.3.7
oracle oraclesiebel_ui_framework{"endIncluding":"21.12"}
oracle oraclesql_developer{"endExcluding":"21.4.2"}21.4.2
oracle oracletaleo_platform{"endExcluding":"22.1"}22.1
oracle oracleutilities_framework{"startIncluding":"4.3.0.1.0","endIncluding":"4.3.0.6.0"}
oracle oracleutilities_framework4.4.0.0.0
oracle oracleutilities_framework4.4.0.2.0
oracle oracleutilities_framework4.4.0.3.0
oracle oraclewebcenter_portal12.2.1.3.0
oracle oraclewebcenter_portal12.2.1.4.0

References

CWEs

CWE-20 CWE-674

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.