CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
Security readout for executives and security teams
This Log4j2 flaw can let an attacker who influences certain logging context data crash or stall an affected Java application. It is not described as data theft or remote code execution. The business impact is service disruption, especially where vulnerable Log4j is embedded in internet-facing or high-availability systems. Exposure is likely in Java applications or vendor products bundling affected log4j-core versions, including embedded dependencies. Priority is higher for externally reachable services, shared platforms, and products listed in vendor advisories. Systems already upgraded to 2.17.0, 2.12.3, or 2.3.1 are not indicated as affected. Treat this as a moderate availability risk. It should be remediated through normal emergency patch governance for Log4j-era exposure, with faster handling for public or revenue-critical services. It is not supported by the provided sources as active exploitation or data compromise. Mitigation focus: Upgrade Log4j2 to 2.17.0, 2.12.3, or 2.3.1 as appropriate.; Identify vendor products bundling Log4j and follow each vendor advisory.; Prioritize internet-facing, business-critical, and restart-sensitive Java services..
Prepared
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-20: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.