The series of vulnerabilities recently discovered in Log4j2 has shocked the internet. As part of our continuing research, on December 17, Hideki Okamoto from Akamai found and responsibly reported an additional denial-ofservice (DoS) vulnerability, which was assigned as CVE-2021-45105. \r\n How we discovered CVE-2021-45105 \r\n We were analyzing CVE-2021-45046, the second in this series of vulnerabilities. When Log4j2 properties include a custom layout using Context Lookup (${ctx:FOOBAR}) or Thread Context Map pattern (%X, %mdc, or %MDC) and the application passes user inputs to the thread context, crafted payloads can lead to uncontrolled recursion. This was later discovered to be a remote code execution (RCE) vulnerability but was initially reported to cause DoS.  \r\n As we were trying to determine what payloads cause DoS, we found a payload published by a third-party security team.…