Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
CVE-2021-45105
This medium-severity CVE scores 5.9 under NVD CVSS v3. EPSS exploit probability: 74.5%, top 1% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High exploitation likelihood — EPSS 100%
A fix is available — apply it.
- CVSS v3
- 5.9
- EG Score
- 5.9(medium)
- EPSS
- 100.0%
- KEV
- Not listed
Published
December 18, 2021
Last Modified
May 29, 2026
References (26)
- security@apachehttp://www.openwall.com/lists/oss-security/2021/12/19/1
- security@apachehttps://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
- security@apachehttps://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf
- security@apachehttps://logging.apache.org/log4j/2.x/security.html
- security@apachehttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
- security@apachehttps://security.netapp.com/advisory/ntap-20211218-0001/
- security@apachehttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- security@apachehttps://www.debian.org/security/2021/dsa-5024
- security@apachehttps://www.kb.cert.org/vuls/id/930724
- security@apachehttps://www.oracle.com/security-alerts/cpuapr2022.html
- security@apachehttps://www.oracle.com/security-alerts/cpujan2022.html
- security@apachehttps://www.oracle.com/security-alerts/cpujul2022.html
- security@apachehttps://www.zerodayinitiative.com/advisories/ZDI-21-1541/
- af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2021/12/19/1
- af854a3a-2127-422b-91ae-364da2661108https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
Vendor Advisories for CVE-2021-45105(19)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2022:1463Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat Single Sign-On 7.5.2 security update on RHEL 8
- RHSA-2022:1462Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat Single Sign-On 7.5.2 security update on RHEL 7
- RHSA-2022:1469Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat Single Sign-On 7.5.2 security update
- RHSA-2022:1299Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
- RHSA-2022:1297Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
- RHSA-2022:1296Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
- RHSA-2022:0223Red Hat Product SecurityMedium
Red Hat Security Advisory: Red Hat Integration Camel-K 1.6.3 release and security update
- RHSA-2022:0222Red Hat Product SecurityMedium
Red Hat Security Advisory: Red Hat Integration Camel Extensions for Quarkus 2.2 security update
- +11 more
Patch Availability(15)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | liblog4j2-java (2.17.1-0.21.10.1) @ impish | 2026-05-26 | ubuntu |
| ubuntu | liblog4j2-java-doc (2.17.0-0.20.04.1) @ focal | 2026-05-26 | ubuntu |
| redhat | log4j-api | 2022-04-20 | redhat |
| redhat | rh-sso7-keycloak-0:15.0.6-1.redhat_00001.1.el7sso | 2022-04-20 | redhat |
| redhat | rh-sso7-keycloak-0:15.0.6-1.redhat_00001.1.el8sso | 2022-04-20 | redhat |
| redhat | eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap | 2022-04-11 | redhat |
| redhat | log4j-core | 2022-04-11 | redhat |
| redhat | eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap | 2022-04-11 | redhat |
| redhat | patch | 2022-01-20 | redhat |
| redhat | patch | 2022-01-20 | redhat |
| redhat | openshift4/ose-logging-elasticsearch6:v4.6.0-202112201736.p0.gce7f68c.assembly.stream | 2022-01-12 | redhat |
| redhat | openshift-logging/elasticsearch6-rhel8:v5.0.11-2 | 2022-01-10 | redhat |
| redhat | openshift-logging/elasticsearch6-rhel8:v6.8.1-82 | 2022-01-10 | redhat |
| redhat | openshift-logging/elasticsearch6-rhel8:v6.8.1-84 | 2022-01-10 | redhat |
| redhat | openshift-logging/elasticsearch6-rhel8:v6.8.1-83 | 2022-01-10 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(2 across 1 ecosystem)
Maven(2)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.apache.logging.log4j:log4j-core | 2.0 ... 2.3 (19 versions) | 2.3.1 | — |
| org.ops4j.pax.logging:pax-logging-log4j2 | 2.0.0 ... 2.0.9 (13 versions) | 2.0.13 | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(2)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
Data Freshness Timeline
(refreshed 0× in last 7d / 6× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-06-30 02:00 UTCOSV refresh
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-12 14:40 UTCOSV refresh
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 13:20 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
Show 8 moreShow fewer
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-26 06:06 UTCEG score recompute
- 2026-05-26 06:06 UTCVendor advisory
Publicly available exploits
(2 references)Working exploit code is in the public domain (2 GitHub PoCs). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCiAmSOScArEd/log4j2_dos_exploitFirst seen Dec 20, 2021
log4j2 dos exploit,CVE-2021-45105 exploit,Denial of Service poc
Open source ↗ - GitHub PoCcckuailong/Log4j_dos_CVE-2021-45105First seen Dec 18, 2021
Log4j_dos_CVE-2021-45105
Open source ↗
Past incidents using this CVE
(1)This CVE was central to one or more publicly-documented breaches. Each card links to authoritative reporting at the time of the incident.
- Log4Shell (Apache Log4j)Dec 2021
JNDI lookup injection in Log4j, a ubiquitous Java logging library. Pre-auth unauthenticated RCE; Apache Foundation called it the worst vulnerability in a decade. Active exploitation continues 3+ years later.
Source: Wired
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-20
- CVE-2002-2444EG 9.8CRITICAL
- CVE-2005-0116NVD 0.0EG 9.0EPSS 99%NONE
- CVE-2002-1359NVD 0.0EG 9.0EPSS 100%NONE
- CVE-2000-0380NVD 0.0EG 9.0EPSS 98%NONE
- CVE-2000-0258EG 7.5EPSS 97%HIGH
- CVE-2004-2771EG 0.0EPSS 93%NONE
- CVE-2002-2443EG 0.0EPSS 93%NONE
- CVE-2002-2433EG 0.0NONE
- CVE-2003-1569EG 0.0NONE
- CVE-2003-1568EG 0.0NONE
Frequently asked(5)
What is CVE-2021-45105?
When was CVE-2021-45105 disclosed?
Is CVE-2021-45105 actively exploited?
What is the CVSS score of CVE-2021-45105?
How do I remediate CVE-2021-45105?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-45105
Is Your Infrastructure Affected by CVE-2021-45105?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.