CVE-2021-45105 — MEDIUM (5.9)

Q: How severe is CVE-2021-45105?

CVE-2021-45105 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-45105?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Log4J, Netapp Cloud Manager, Debian Debian Linux, Sonicwall Email Security, Sonicwall Network Security Manager.

Vulnerability Description

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Log4J	>= 2.0, < 2.3.1
Netapp	Cloud Manager	-
Debian	Debian Linux	10.0
Sonicwall	Email Security	<= 10.0.12
Sonicwall	Network Security Manager	>= 2.0, < 3.0
Sonicwall	Web Application Firewall	>= 3.0.0, < 3.1.0
Sonicwall	6Bk1602-0Aa12-0Tp0 Firmware	< 2.7.0
Sonicwall	6Bk1602-0Aa12-0Tp0	-
Sonicwall	6Bk1602-0Aa22-0Tp0 Firmware	< 2.7.0
Sonicwall	6Bk1602-0Aa22-0Tp0	-
Sonicwall	6Bk1602-0Aa32-0Tp0 Firmware	< 2.7.0
Sonicwall	6Bk1602-0Aa32-0Tp0	-
Sonicwall	6Bk1602-0Aa42-0Tp0 Firmware	< 2.7.0
Sonicwall	6Bk1602-0Aa42-0Tp0	-
Sonicwall	6Bk1602-0Aa52-0Tp0 Firmware	< 2.7.0
Sonicwall	6Bk1602-0Aa52-0Tp0	-
Oracle	Agile Engineering Data Management	6.2.1.0
Oracle	Agile Plm	9.3.6
Oracle	Agile Plm Mcad Connector	3.6
Oracle	Autovue For Agile Product Lifecycle Management	21.0.2

Related Weaknesses (CWE)

CWE-20 CWE-674

References

http://www.openwall.com/lists/oss-security/2021/12/19/1Mailing ListMitigationThird Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfThird Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdfThird Party Advisory
https://logging.apache.org/log4j/2.x/security.htmlRelease NotesVendor Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032Third Party Advisory
https://security.netapp.com/advisory/ntap-20211218-0001/Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aThird Party Advisory
https://www.debian.org/security/2021/dsa-5024Third Party Advisory
https://www.kb.cert.org/vuls/id/930724Third Party AdvisoryUS Government Resource
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1541/Third Party AdvisoryVDB Entry
http://www.openwall.com/lists/oss-security/2021/12/19/1Mailing ListMitigationThird Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfThird Party Advisory

FAQ

What is CVE-2021-45105?

CVE-2021-45105 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Threa...

How severe is CVE-2021-45105?

CVE-2021-45105 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-45105?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Log4J, Netapp Cloud Manager, Debian Debian Linux, Sonicwall Email Security, Sonicwall Network Security Manager.