apache log4j CVE-2021-45046 vulnerability in Apache and Other Products
Published on December 14, 2021

Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

product logo product logo product logo product logo product logo product logo product logo product logo product logo product logo
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Github Repository Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This Apache Log4j2 Deserialization of Untrusted Data Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

The following remediation steps are recommended / required by May 22, 2023: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2021-45046 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. This vulnerability is known to be actively exploited by threat actors. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is an EL Injection Vulnerability?

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

CVE-2021-45046 has been classified to as an EL Injection vulnerability or weakness.


Products Associated with CVE-2021-45046

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-45046 are published in these products:

Apache Log4j
 
Intel Audio Development Kit
 
Intel Datacenter Manager
 
Intel Oneapi
 
Intel Secure Device Onboard
 
Intel System Debugger
 
NetApp Brocade San Navigator
 
NetApp Cloud Insights Acquisition Unit
 
NetApp Cloud Manager
 
NetApp Cloud Secure Agent
 
NetApp Oncommand Insight
 
NetApp Ontap Tools
 
NetApp Snapcenter
 
Fedora Project Fedora
 
Debian Linux
 
Aruba Networks Silver Peak Orchestrator
 
Siemens Capital
 
Siemens Cosmos
 
Siemens Desigo Consumption Control Advanced Reporting
 
Siemens Desigo Consumption Control Info Center
 
Siemens E Car Operating Center
 
Siemens Energyip Prepay
 
Siemens Gma Manager
 
Siemens Head End System Universal Device Integration System
 
Siemens Industrial Edge Management
 
Siemens Simatic Wincc
 
Siemens Sipass Integrated
 
Siemens Siveillance Command
 
Siemens Siveillance Control
 
Siemens Siveillance Identity
 
Siemens Siveillance Vantage
 
Siemens Solid Edge Wiring Harness Design
 
Siemens Spectrum Power 4
 
Siemens Spectrum Power 7
 
Siemens Teamcenter Suite
 
Siemens Vesys
 
Siemens Xpedition Enterprise Data Management
 
Siemens Xpedition Package Integrator
 
Siemens Dynamic Security Assessment
 
Siemens Industrial Edge Manangement Hub
 
Siemens Logo Soft Comfort
 
Siemens Mendix
 
Siemens Mindsphere
 
Siemens Nx
 
Siemens Opcenter Intelligence
 
Siemens Operation Scheduler
 
Amazon Aws
 
Intel Computer Vision Annotation Tool
 
Intel Genomics Kernel Library
 
Intel Sensor Solution Firmware Development Kit
 
Intel System Studio
 
Siemens Captial
 
Siemens Comos
 
Siemens Desigo Cc Advanced Reports
 
Siemens Desigo Cc Info Center
 
Siemens E Car Operation Center
 
Siemens Energy Engage
 
Siemens Energyip
 
Siemens Industrial Edge Management Hub
 
Siemens Navigator
 
Siemens Sentron Powermanager
 
Siemens Siguard Dsa
 
Siemens Siveillance Control Pro
 
Siemens Siveillance Viewpoint
 
Siemens Solid Edge Cam Pro
 
Siemens Solid Edge Harness Design
 
Siemens Teamcenter
 
Siemens Xpedition Enterprise
 
SonicWall Email Security
 
Siemens Tracealertserverplus
 
Cvat Computer Vision Annotation Tool
 

Affected Versions

Apache Software Foundation Apache Log4j:

Vulnerable Packages

The following package name and versions may be associated with CVE-2021-45046

Package Manager Vulnerable Package Versions Fixed In
maven org.apache.logging.log4j:log4j-core <2.16.0 2.16.0
maven com.hazelcast.jet:hazelcast-jet >= 4.1, < 4.5.3 4.5.3
maven com.hazelcast:hazelcast >= 5.0, < 5.0.2 5.0.2
maven com.hazelcast:hazelcast < 4.0.5 4.0.5
maven com.hazelcast:hazelcast >= 4.1.1, < 4.1.8 4.1.8
maven com.hazelcast:hazelcast >= 4.2, < 4.2.4 4.2.4

Exploit Probability

EPSS
94.34%
Percentile
99.95%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.