CVE-2021-45105

🔶 medium

Summary

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

CVSS Score

5.9

Medium

EPSS Score

70.4

Exploit Probability

Published Date

2021-12-18

First Seen: 2026-01-05

Last Modified 2024-11-21

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE IDs (Weakness Types)

CWE-20 CWE-674

🔗 References 26

http://www.openwall.com/lists/oss-security/2021/12/19/1

Mailing List Mitigation Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-...

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-...

Third Party Advisory

https://logging.apache.org/log4j/2.x/security.html

Release Notes Vendor Advisory

https://psirt.global.sonicwall.com/vuln-detail/SNWLI...

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211218-0...

Third Party Advisory

https://tools.cisco.com/security/center/content/Cisc...

Third Party Advisory

https://www.debian.org/security/2021/dsa-5024

Third Party Advisory

https://www.kb.cert.org/vuls/id/930724

Third Party Advisory US Government Resource

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Third Party Advisory

https://www.zerodayinitiative.com/advisories/ZDI-21-...

Third Party Advisory VDB Entry

http://www.openwall.com/lists/oss-security/2021/12/19/1

Mailing List Mitigation Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-...

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-...

Third Party Advisory

https://logging.apache.org/log4j/2.x/security.html

Release Notes Vendor Advisory

https://psirt.global.sonicwall.com/vuln-detail/SNWLI...

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211218-0...

Third Party Advisory

https://tools.cisco.com/security/center/content/Cisc...

Third Party Advisory

https://www.debian.org/security/2021/dsa-5024

Third Party Advisory

https://www.kb.cert.org/vuls/id/930724

Third Party Advisory US Government Resource

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Third Party Advisory

https://www.zerodayinitiative.com/advisories/ZDI-21-...

Third Party Advisory VDB Entry

📦 Affected Products 207

Vendor	Product	Status	Affected Versions
debian	debian_linux	Affected	v10.0
debian	debian_linux	Affected	v11.0
oracle	e-business_suite	Affected	v12.2
oracle	jdeveloper	Affected	v12.2.1.4.0
oracle	peoplesoft_enterprise_peopletools	Affected	v8.58
oracle	peoplesoft_enterprise_peopletools	Affected	v8.59
oracle	weblogic_server	Affected	v12.2.1.3.0
oracle	weblogic_server	Affected	v12.2.1.4.0
oracle	weblogic_server	Affected	v14.1.1.0.0
oracle	communications_service_broker	Affected	v6.2
oracle	agile_engineering_data_management	Affected	v6.2.1.0
oracle	enterprise_manager_ops_center	Affected	v12.4.0.0
oracle	business_intelligence	Affected	v5.5.0.0.0
oracle	enterprise_manager_base_platform	Affected	v13.4.0.0
oracle	enterprise_manager_base_platform	Affected	v13.5.0.0
oracle	webcenter_sites	Affected	v12.2.1.3.0
oracle	webcenter_sites	Affected	v12.2.1.4.0
oracle	retail_point-of-service	Affected	v14.1
oracle	mysql_enterprise_monitor	Affected	≤ 8.0.29
oracle	siebel_ui_framework	Affected	≤ 21.12
oracle	communications_user_data_repository	Affected	v12.4
oracle	primavera_p6_enterprise_project_portfolio_management	Affected	≥ 19.12.0.0 ≤ 19.12.18.0
oracle	primavera_p6_enterprise_project_portfolio_management	Affected	≥ 20.12.0.0 ≤ 20.12.12.0
oracle	primavera_p6_enterprise_project_portfolio_management	Affected	v21.12.0.0
oracle	healthcare_master_person_index	Affected	v5.0.1
oracle	health_sciences_information_manager	Affected	≥ 3.0.1 ≤ 3.0.4
oracle	retail_service_backbone	Affected	≥ 16.0.1 ≤ 16.0.3
oracle	retail_service_backbone	Affected	v14.1.3
oracle	retail_service_backbone	Affected	v14.1.3.2
oracle	retail_service_backbone	Affected	v15.0.3.1
oracle	retail_service_backbone	Affected	v19.0.0
oracle	retail_service_backbone	Affected	v19.0.1
oracle	retail_service_backbone	Affected	v19.0.1.0
oracle	banking_platform	Affected	v2.12.0
oracle	banking_platform	Affected	v2.6.2
oracle	banking_platform	Affected	v2.7.1
apache	log4j	Affected	≥ 2.4 < 2.12.3
apache	log4j	Affected	≥ 2.13.0 ≤ 2.16.0
apache	log4j	Affected	≥ 2.0 < 2.3.1
oracle	financial_services_analytical_applications_infrastructure	Affected	≥ 8.0.7 ≤ 8.1.1
oracle	banking_payments	Affected	v14.5
oracle	hyperion_data_relationship_management	Affected	< 11.2.8.0
oracle	webcenter_portal	Affected	v12.2.1.3.0
oracle	webcenter_portal	Affected	v12.2.1.4.0
oracle	hyperion_planning	Affected	< 11.2.8.0
oracle	flexcube_universal_banking	Affected	≥ 12.1.0 ≤ 12.4
oracle	flexcube_universal_banking	Affected	≥ 14.0.0 ≤ 14.3.0
oracle	flexcube_universal_banking	Affected	v11.83.3
oracle	flexcube_universal_banking	Affected	v14.5
oracle	identity_manager_connector	Affected	v9.1.0
oracle	retail_merchandising_system	Affected	v16.0.3
oracle	retail_merchandising_system	Affected	v19.0.1
oracle	communications_diameter_signaling_router	Affected	≥ 8.3.0.0 ≤ 8.5.1.0
sonicwall	web_application_firewall	Affected	≥ 3.0.0 < 3.1.0
sonicwall	email_security	Affected	≤ 10.0.12
oracle	managed_file_transfer	Affected	v12.2.1.3.0
oracle	managed_file_transfer	Affected	v12.2.1.4.0
oracle	retail_customer_insights	Affected	v15.0.2
oracle	retail_customer_insights	Affected	v16.0.2
oracle	communications_performance_intelligence_center	Affected	v10.4.0.3
oracle	communications_services_gatekeeper	Affected	v7.0
oracle	retail_predictive_application_server	Affected	v14.1.3.46
oracle	retail_predictive_application_server	Affected	v15.0.3.115
oracle	retail_predictive_application_server	Affected	v16.0.3.240
oracle	retail_order_broker	Affected	v16.0
oracle	retail_order_broker	Affected	v18.0
oracle	retail_order_broker	Affected	v19.1
oracle	utilities_framework	Affected	≥ 4.3.0.1.0 ≤ 4.3.0.6.0
oracle	utilities_framework	Affected	v4.4.0.0.0
oracle	utilities_framework	Affected	v4.4.0.2.0
oracle	utilities_framework	Affected	v4.4.0.3.0
oracle	instantis_enterprisetrack	Affected	v17.1
oracle	instantis_enterprisetrack	Affected	v17.2
oracle	instantis_enterprisetrack	Affected	v17.3
oracle	communications_unified_inventory_management	Affected	v7.3.5
oracle	communications_unified_inventory_management	Affected	v7.4.1
oracle	communications_unified_inventory_management	Affected	v7.4.2
oracle	retail_invoice_matching	Affected	v15.0.3
oracle	retail_invoice_matching	Affected	v16.0.3
oracle	data_integrator	Affected	v12.2.1.3.0
oracle	data_integrator	Affected	v12.2.1.4.0
oracle	communications_convergence	Affected	v3.0.2.2.0
oracle	communications_convergence	Affected	v3.0.3.0
oracle	primavera_gateway	Affected	≥ 17.12.0 ≤ 17.12.11
oracle	primavera_gateway	Affected	≥ 18.8.0 ≤ 18.8.13
oracle	primavera_gateway	Affected	≥ 19.12.0 ≤ 19.12.12
oracle	primavera_gateway	Affected	≥ 20.12.0 ≤ 20.12.7
oracle	primavera_gateway	Affected	v21.12.0
oracle	primavera_unifier	Affected	v18.8
oracle	primavera_unifier	Affected	v19.12
oracle	primavera_unifier	Affected	v20.12
oracle	primavera_unifier	Affected	v21.12
oracle	retail_returns_management	Affected	v14.1
oracle	retail_central_office	Affected	v14.1
oracle	communications_messaging_server	Affected	v8.1
oracle	retail_integration_bus	Affected	≥ 16.0.1 ≤ 16.0.3
oracle	retail_integration_bus	Affected	≥ 19.0.0 ≤ 19.0.1.0
oracle	retail_integration_bus	Affected	v14.1.3
oracle	retail_integration_bus	Affected	v14.1.3.2
oracle	retail_integration_bus	Affected	v15.0.3.1
oracle	retail_integration_bus	Affected	v19.0.0
oracle	retail_integration_bus	Affected	v19.0.1
oracle	hospitality_suite8	Affected	v8.13.0
oracle	hospitality_suite8	Affected	v8.14.0
oracle	retail_back_office	Affected	v14.1
oracle	payment_interface	Affected	v19.1
oracle	payment_interface	Affected	v20.3
oracle	retail_store_inventory_management	Affected	v14.0.4.13
oracle	retail_store_inventory_management	Affected	v14.1.3.14
oracle	retail_store_inventory_management	Affected	v14.1.3.5
oracle	retail_store_inventory_management	Affected	v15.0.3.3
oracle	retail_store_inventory_management	Affected	v15.0.3.8
oracle	retail_store_inventory_management	Affected	v16.0.3.7
oracle	communications_interactive_session_recorder	Affected	v6.3
oracle	communications_interactive_session_recorder	Affected	v6.4
oracle	communications_webrtc_session_controller	Affected	v7.2.0.0
oracle	communications_webrtc_session_controller	Affected	v7.2.1
oracle	hyperion_bi\+	Affected	< 11.2.8.0
oracle	communications_element_manager	Affected	< 9.0
oracle	hyperion_infrastructure_technology	Affected	< 11.2.8.0
oracle	sql_developer	Affected	< 21.4.2
oracle	healthcare_foundation	Affected	≥ 7.3.0.1 ≤ 7.3.0.4
oracle	communications_billing_and_revenue_management	Affected	v12.0.0.4
oracle	communications_billing_and_revenue_management	Affected	v12.0.0.5
oracle	insurance_insbridge_rating_and_underwriting	Affected	≥ 5.4 ≤ 5.6.0.0
oracle	insurance_insbridge_rating_and_underwriting	Affected	v5.2.0
oracle	insurance_insbridge_rating_and_underwriting	Affected	v5.6.1.0
oracle	enterprise_manager_for_peoplesoft	Affected	v13.4.1.1
oracle	enterprise_manager_for_peoplesoft	Affected	v13.5.1.1
oracle	healthcare_translational_research	Affected	v4.1.0
oracle	healthcare_translational_research	Affected	v4.1.1
oracle	agile_plm	Affected	v9.3.6
oracle	retail_financial_integration	Affected	≥ 16.0.1 ≤ 16.0.3
oracle	retail_financial_integration	Affected	v14.1.3.2
oracle	retail_financial_integration	Affected	v15.0.3.1
oracle	retail_financial_integration	Affected	v19.0.0
oracle	retail_financial_integration	Affected	v19.0.1
oracle	health_sciences_empirica_signal	Affected	v9.1.0.6
oracle	health_sciences_empirica_signal	Affected	v9.2.0.0
oracle	communications_ip_service_activator	Affected	v7.4.0
oracle	communications_evolved_communications_application_server	Affected	v7.1
oracle	communications_pricing_design_center	Affected	v12.0.0.4
oracle	communications_pricing_design_center	Affected	v12.0.0.5
oracle	identity_management_suite	Affected	v12.2.1.3.0
oracle	identity_management_suite	Affected	v12.2.1.4.0
oracle	communications_session_report_manager	Affected	< 9.0
oracle	communications_session_route_manager	Affected	< 9.0
oracle	communications_network_charging_and_control	Affected	≥ 12.0.1.0.0 ≤ 12.0.4.0.0
oracle	communications_network_charging_and_control	Affected	v6.0.1.0.0
oracle	communications_network_integrity	Affected	v7.3.6
oracle	healthcare_data_repository	Affected	v8.1.1
sonicwall	network_security_manager	Affected	≥ 2.0 < 3.0
netapp	cloud_manager	Affected	v-
oracle	communications_cloud_native_core_network_function_cloud_native_environment	Affected	v1.10.0
oracle	banking_treasury_management	Affected	v14.5
oracle	communications_cloud_native_core_unified_data_repository	Affected	v1.15.0
oracle	communications_convergent_charging_controller	Affected	≥ 12.0.1.0.0 ≤ 12.0.4.0.0
oracle	communications_convergent_charging_controller	Affected	v6.0.1.0.0
oracle	communications_cloud_native_core_network_slice_selection_function	Affected	v1.8.0
oracle	communications_cloud_native_core_console	Affected	v1.9.0
oracle	communications_cloud_native_core_policy	Affected	v1.15.0
oracle	insurance_data_gateway	Affected	v1.0.1
oracle	retail_price_management	Affected	v13.2
oracle	retail_price_management	Affected	v14.0.4
oracle	retail_price_management	Affected	v14.1.3.0
oracle	retail_price_management	Affected	v15.0.3.0
oracle	retail_price_management	Affected	v16.0.3.0
oracle	autovue_for_agile_product_lifecycle_management	Affected	v21.0.2
oracle	communications_cloud_native_core_security_edge_protection_proxy	Affected	v1.7.0
oracle	financial_services_model_management_and_governance	Affected	v8.0.8.0.0
oracle	financial_services_model_management_and_governance	Affected	v8.1.0.0.0
oracle	financial_services_model_management_and_governance	Affected	v8.1.1.0.0
oracle	health_sciences_inform	Affected	v6.2.1.1
oracle	health_sciences_inform	Affected	v6.3.2.1
oracle	health_sciences_inform	Affected	v7.0.0.0
oracle	banking_enterprise_default_management	Affected	v2.12.0
oracle	banking_enterprise_default_management	Affected	v2.7.1
oracle	communications_cloud_native_core_network_repository_function	Affected	v1.15.0
oracle	communications_cloud_native_core_network_repository_function	Affected	v1.15.1
oracle	banking_party_management	Affected	v2.7.0
oracle	communications_eagle_ftp_table_base_retrieval	Affected	v4.5
oracle	retail_eftlink	Affected	v16.0.3
oracle	retail_eftlink	Affected	v17.0.2
oracle	retail_eftlink	Affected	v18.0.1
oracle	retail_eftlink	Affected	v19.0.1
oracle	retail_eftlink	Affected	v20.0.1
oracle	retail_eftlink	Affected	v21.0.0
oracle	communications_asap	Affected	v7.3
oracle	retail_data_extractor_for_merchandising	Affected	v15.0.2
oracle	retail_data_extractor_for_merchandising	Affected	v16.0.2
oracle	retail_order_management_system	Affected	v19.5
oracle	communications_cloud_native_core_service_communication_proxy	Affected	v1.15.0
oracle	banking_loans_servicing	Affected	v2.12.0
oracle	agile_plm_mcad_connector	Affected	v3.6
oracle	banking_deposits_and_lines_of_credit_servicing	Affected	v2.12.0
oracle	banking_trade_finance	Affected	v14.5
oracle	hospitality_token_proxy_service	Affected	v19.2
oracle	communications_eagle_element_management_system	Affected	v46.6
oracle	management_cloud_engine	Affected	v1.5.0
oracle	taleo_platform	Affected	< 22.1
sonicwall	6bk1602-0aa12-0tp0_firmware	Affected	< 2.7.0
sonicwall	6bk1602-0aa22-0tp0_firmware	Affected	< 2.7.0
sonicwall	6bk1602-0aa32-0tp0_firmware	Affected	< 2.7.0
sonicwall	6bk1602-0aa42-0tp0_firmware	Affected	< 2.7.0
sonicwall	6bk1602-0aa52-0tp0_firmware	Affected	< 2.7.0
oracle	hyperion_profitability_and_cost_management	Affected	< 11.2.8.0
oracle	hyperion_tax_provision	Affected	< 11.2.8.0

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2025-68670	⛔ critical	9.1	0.3	xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerabi...	2026-01-27
CVE-2026-24061	⛔ critical	9.8	29.6	telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment ...	2026-01-21
CVE-2026-21934	🔶 medium	5.4	0.0	Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Push Notifications). Su...	2026-01-20
CVE-2026-21938	🔶 medium	6.1	0.0	Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported vers...	2026-01-20
CVE-2026-21951	🔶 medium	6.1	0.0	Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Integration Broker). Su...	2026-01-20
CVE-2026-21976	⚠️ high	7.1	0.0	Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Anal...	2026-01-20

These CVEs affect the same products