Issued: Monday, 27 December, 2021 |
Last Revision: Monday, 27 December, 2021 |
Vendor: |
Product: |
Severity Level: |
A new vulnerability, identified as CVE-2021-45105 has been discovered in Apache Log4j 2. Its severity is critical in nature with high probability of being exploited by attacker. This issue lies in the “StrSubstitutor” class due to improper validation of user supplied data, which can lead to resource exhaustion.
A remote attacker can use this vulnerability to cause a denial-of-service attack on affected installations of Apache Log4j. Exploitation of this vulnerability does not require authentication.
CVE/Vulnerability | Description |
| CVSS3.0 Score |
CVE-2021-45105 | Denial of Service attack |
| 7.5 |
CVE/Vulnerability | Affected Product(s) |
CVE-2021-45105 | Apache Log4j2 All versions from 2.0-beta9 to 2.16.0 |
Table 2: Vulnerable versions
Apache has released version 2.17.0 to address this vulnerability. In view of targeted attack and exploitation of the vulnerabilities, we encourage the organisations to apply patch immediately.
We encourage organizations to keep checking if any of their used technology’s' vendors advisories for any updates regarding this vulnerability and follow their recommendations. The National Cyber Security Centrum (NCSC-NL) is consolidating a list of products and their impact status, however, please confirm by visiting the vendor’s website.