Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2021-45105
CVE-2021-45105:
IBM Db2 vulnerability analysis and mitigation
Overview
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. The vulnerability was discovered in December 2021 and fixed in Log4j versions 2.17.0, 2.12.3, and 2.3.1 (Apache Log4j).
Technical details
The vulnerability occurs when the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}). Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. The vulnerability has a CVSS v3.1 base score of 5.9 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). Only the log4j-core JAR file is impacted by this vulnerability (Apache Log4j, NVD).
Impact
When successfully exploited, this vulnerability can lead to a denial of service (DoS) condition through uncontrolled recursion, causing the application to crash with a StackOverflowError. This affects the availability of systems using vulnerable Log4j versions (Apache Log4j).
Mitigation and workarounds
Users should upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later). Alternatively, in PatternLayout configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC). Another option is to remove references to Context Lookups where they originate from external sources such as HTTP headers or user input (Apache Log4j).
Community reactions
The vulnerability was independently discovered by multiple researchers including Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro's Zero Day Initiative, and another anonymous vulnerability researcher. Major vendors like Cisco, Oracle, and VMware issued advisories and patches for their affected products (Apache Log4j).
Additional resources
Source: This report was generated using AI
Related IBM Db2 vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management