=====================================================================

                                 CERT-Renater

                       Note d'Information No. 2021/VULN673
_____________________________________________________________________

DATE                : 24/12/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running log4j-api (maven), log4j-core
                           (maven) versions prior to 2.12.3, 2.17.0.

=====================================================================
https://github.com/advisories/GHSA-p6xc-xr62-6r2g
_____________________________________________________________________

Improper Input Validation and Uncontrolled Recursion in Apache Log4j2
high severity GitHub Reviewed

Vulnerability details

Package
  org.apache.logging.log4j:log4j-api (maven)

Affected versions
< 2.12.3
 > 2.12.3, < 2.17.0

Patched versions
2.12.3
2.17.0

Package
  org.apache.logging.log4j:log4j-core (maven)

Affected versions
< 2.12.3
 > 2.12.3, < 2.17.0

Patched versions
2.12.3
2.17.0


Description

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did
not protect from uncontrolled recursion from self-referential lookups.
This allows an attacker with control over Thread Context Map data to
cause a denial of service when a crafted string is interpreted. This
issue was fixed in Log4j 2.17.0 and 2.12.3.


References
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
https://logging.apache.org/log4j/2.x/security.html
https://security.netapp.com/advisory/ntap-20211218-0001/


CVE ID
CVE-2021-45105

CWEs
CWE-20 CWE-674

CVSS Score
8.6   High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================