Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-45046

Good to know:

icon
icon

Date: December 14, 2021

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Language: Java

Severity Score

Related Resources (29)

https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
https://security.gentoo.org/glsa/202310-16
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/
https://www.cve.org/CVERecord?id=CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ
https://www.oracle.com/security-alerts/cpuapr2022.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY
http://www.openwall.com/lists/oss-security/2021/12/18/1
http://www.openwall.com/lists/oss-security/2021/12/14/4
http://www.openwall.com/lists/oss-security/2021/12/15/3
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
https://www.debian.org/security/2021/dsa-5022
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY
https://logging.apache.org/log4j/2.x/security.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ
https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
https://www.openwall.com/lists/oss-security/2021/12/14/4
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/
https://www.oracle.com/security-alerts/cpujul2022.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://www.kb.cert.org/vuls/id/930724
https://www.mend.io/vulnerability-database/CVE-2021-45046

Severity Score

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CWE-917

Top Fix

icon

Upgrade Version

Upgrade to version org.apache.logging.log4j:log4j-core:2.3.1,2.12.2,2.16.0;org.ops4j.pax.logging:pax-logging-log4j2:1.11.10,2.0.11

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): HIGH
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us