CVE-2021-45105 - Denial of Service (DoS)
Severity: Low2021-12-21
Abstract
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen Content Fusion v4.1 | Low | Oxygen Content Fusion 4.1.5 build 2021122115 |
| Oxygen Content Fusion v3.0 | Low | Oxygen Content Fusion 3.0.2 build 2021122116 |
| Oxygen Content Fusion v2.0 | Low | Oxygen Content Fusion 2.0.4 build 2021122211 |
| Oxygen XML Web Author v24.0.0 | Low | Oxygen XML Web Author 24.0.0.3 build 2021122015 |
| Oxygen XML Web Author from v23.0.0 to v23.1.1 | Low | Oxygen XML Web Author 23.1.1.3 build 2021122014 |
| Oxygen XML Web Author v22.1.0 | Low | Oxygen XML Web Author 22.1.0.5 build 2021122014 |
| Oxygen Feedback 2.0 and older | Low | Oxygen Feedback Enterprise 2.0.1 build 2021122021 |
| Oxygen XML Publishing Engine from 22.1 to 24.0 | Low | N/A |
| Oxygen XML WebHelp from 22.1 to 24.0 | Low | N/A |
| Oxygen PDF Chemistry from 22.1 to 24.0 | Low | N/A |
| Oxygen License Server from 22.1 to 24.0 | Low | Oxygen License Server 24.0 build 2021122016 |
| Oxygen XML Author from 16.1 to 24.0 | Low | N/A |
| Oxygen XML Developer from 16.1 to 24.0 | Low | N/A |
| Oxygen XML Editor from 16.1 to 24.0 | Low | N/A |
Mitigation
- If you are using Oxygen XML Editor/Author/Developer/Web Author, use the oxygen-log4j-patcher.
- If you are using Oxygen Content Fusion, use the content-fusion-log4j-patcher.
- For other scenarios, manually update all occurrences of log4j-core to version 2.17.
Detail
CVE-2021-45105
Severity: High
CVSS Score: 7.5
The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-45105 vulnerability description. However, our default configuration does not change the Pattern Layout and the vulnerability can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.
Revision History
2021-12-22 Starting with Oxygen Content Fusion 4.1.5 build 2021122115, the Apache Log4j library
was updated to version 2.17.0. This version is not affected anymore by this vulnerability.
Starting with Oxygen Content Fusion 3.0.2 build 2021122116, the Apache Log4j library
was updated to version 2.17.0. This version is not affected anymore by this vulnerability.
Starting with Oxygen Content Fusion 2.0.4 build 2021122211, the Apache Log4j library
was updated to version 2.17.0. This version is not affected anymore by this vulnerability.
2021-12-21 Starting with Oxygen Feedback 2.0.1 build 2021122021, the Apache Log4j library
was updated to version 2.17.0. This version is not affected anymore by this vulnerability.
Starting with Oxygen XML Web Author 24.0.0.3 build 2021122015, the Apache Log4j library
was updated to version 2.17.0. This version is not affected anymore by this vulnerability.
Starting with Oxygen XML Web Author 23.1.1.3 build 2021122014, the Apache Log4j library
was updated to version 2.17.0. This version is not affected anymore by this vulnerability.
Starting with Oxygen XML Web Author 22.1.0.5 build 2021122014, the Apache Log4j library
was updated to version 2.17.0. This version is not affected anymore by this vulnerability.
Starting with Oxygen License Server 24.0 build 2021122016, the Apache Log4j library
was updated to version 2.17.0. This version is not affected anymore by this vulnerability.
