CVE-2021-45105

NameCVE-2021-45105
DescriptionApache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2852-1, DSA-5024-1
Debian Bugs1001891

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache-log4j2 (PTS)buster2.17.1-1~deb10u1fixed
buster (security)2.17.0-1~deb10u1fixed
bullseye2.17.1-1~deb11u1fixed
bullseye (security)2.17.0-1~deb11u1fixed
sid, trixie, bookworm2.19.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache-log4j2sourcestretch2.12.3-0+deb9u1DLA-2852-1
apache-log4j2sourcebuster2.17.0-1~deb10u1DSA-5024-1
apache-log4j2sourcebullseye2.17.0-1~deb11u1DSA-5024-1
apache-log4j2source(unstable)2.17.0-11001891

Notes

https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105
https://issues.apache.org/jira/browse/LOG4J2-3230
Search for package or bug name: Reporting problems