apache log4j CVE-2021-45046 vulnerability in Apache and Other Products
Published on December 14, 2021

product logo product logo product logo product logo product logo product logo product logo product logo product logo
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2021-45046 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 2.2 out of four. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2021-45046 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.

Products Associated with CVE-2021-45046

You can be notified by stack.watch whenever vulnerabilities like CVE-2021-45046 are published in these products:


What versions are vulnerable to CVE-2021-45046?

Each of the following must match for the vulnerability to exist.

Vulnerable Packages

The following package name and versions may be associated with CVE-2021-45046

Package Manager Vulnerable Package Versions Fixed In
maven org.apache.logging.log4j:log4j-core <2.16.0 2.16.0