CVE-2021-45105: Apache Log4j2 Denial of Service Vulnerability Alert
Vulnerability Detail
Affected version
- All versions from 2.0-beta9 to 2.16.0
Unaffected version
- Apache Log4j2 2.17.0
Solution
We recommend users should upgrade to release 2.17.0.
- In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
- Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.