CVE-2021-45046

Name
CVE-2021-45046
Description
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MLIST http://www.openwall.com/lists/oss-security/2021/12/14/4
MISC https://logging.apache.org/log4j/2.x/security.html
MISC https://www.cve.org/CVERecord?id=CVE-2021-44228
CONFIRM https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
MLIST http://www.openwall.com/lists/oss-security/2021/12/15/1
CONFIRM https://security.netapp.com/advisory/ntap-20211215-0001/
CISCO https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
MLIST http://www.openwall.com/lists/oss-security/2021/12/15/3
CONFIRM https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
CERT-VN https://www.kb.cert.org/vuls/id/930724
CONFIRM https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
DEBIAN https://www.debian.org/security/2021/dsa-5022
CONFIRM https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
CONFIRM https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
MLIST http://www.openwall.com/lists/oss-security/2021/12/18/1
CONFIRM https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
CONFIRM https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/
Patch https://www.oracle.com/security-alerts/cpujan2022.html
MISC https://www.oracle.com/security-alerts/cpuapr2022.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:* log4j == None == 2.0
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* log4j >= 2.0.1 <= 2.12.1
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* log4j >= 2.13.0 < 2.15.0
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* log4j >= 2.0.1 < 2.12.2
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* log4j >= 2.13.0 < 2.16.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status