CVE Record: CVE-2021-45046

alert

Notice: Keyword searching of CVE Records is now available in the search box above. Keywords may include a CVE ID (e.g., CVE-2024-1234), or one or more keywords separated by a space (e.g., authorization, SQL Injection, cross site scripting, etc.). Learn more here.

alert

Notice: Keyword searching of CVE Records is now available in the search box above. Keywords may include a CVE ID (e.g., CVE-2024-1234), or one or more keywords separated by a space (e.g., authorization, SQL Injection, cross site scripting, etc.). Learn more here.

Expand or collapse notification button

Required CVE Record Information

Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

CWE 1 Total

CWE-917: CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Product Status

Versions 1 Total

Default Status: unknown

affected

References 21 Total

Updated: 2024-08-04

This container includes required additional information provided by the CVE Program for this vulnerability.

References 21 Total

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
external site
x_transferred
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
external site
x_transferred
https://www.cve.org/CVERecord?id=CVE-2021-44228
external site
x_transferred
openwall.com: [oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
external site
mailing-listx_transferred
https://logging.apache.org/log4j/2.x/security.html
external site
x_transferred
kb.cert.org: VU#930724
external site
third-party-advisoryx_transferred
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
external site
x_transferred
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
external site
x_transferred
tools.cisco.com: 20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021
external site
vendor-advisoryx_transferred
openwall.com: [oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
external site
mailing-listx_transferred
https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
external site
x_transferred
debian.org: DSA-5022
external site
vendor-advisoryx_transferred
openwall.com: [oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
external site
mailing-listx_transferred
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
external site
x_transferred
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
external site
x_transferred
lists.fedoraproject.org: FEDORA-2021-5c9d12a93e
external site
vendor-advisoryx_transferred
lists.fedoraproject.org: FEDORA-2021-abbe24e41c
external site
vendor-advisoryx_transferred
https://www.oracle.com/security-alerts/cpujan2022.html
external site
x_transferred
https://www.oracle.com/security-alerts/cpuapr2022.html
external site
x_transferred
https://www.oracle.com/security-alerts/cpujul2022.html
external site
x_transferred
https://security.gentoo.org/glsa/202310-16
external site
x_transferred

Authorized Data Publishers