DOS vulnerability in log4j < 2.17.0 

Issue date: 20-12-2021
Affects versions: 14.7, 13.4, 12.6

Security Issue ID



Affected Product Version(s)

14.7.2, 13.4.13, 12.6.22 and previous releases.





Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

The default logging configuration provided by Bloomreach does not use a 'ctx' pattern that would trigger this vulnerability, so we believe the actual risk to customers is low. brXM versions 12.6.23, 13.4.14, and 14.7.3 have been updated to use log4j 2.17.0, which closes this vulnerability.


Customers are recommended to upgrade to the latest brXM version available.