CVE-2021-45046 vulnerability in Apache and Other Products
Published on December 14, 2021










Known Exploited Vulnerability
This Apache Log4j2 Deserialization of Untrusted Data Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
The following remediation steps are recommended / required by May 22, 2023: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2021-45046 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 2.2 out of four. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
What is an EL Injection Vulnerability?
The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
CVE-2021-45046 has been classified to as an EL Injection vulnerability or weakness.
Products Associated with CVE-2021-45046
You can be notified by stack.watch whenever vulnerabilities like CVE-2021-45046 are published in these products:
What versions are vulnerable to CVE-2021-45046?
-
Apache Log4j Version 2.0 rc1
-
Apache Log4j Version 2.0 beta9
-
Apache Log4j Version 2.0 rc2
-
Apache Log4j Version 2.0 -
-
Apache Log4j Version 2.0.1 Fixed in Version 2.12.2
-
Apache Log4j Version 2.13.0 Fixed in Version 2.16.0
-
Intel Oneapi Version - eclipse
-
Intel Audio Development Kit Version -
-
Intel Datacenter Manager Version -
-
Intel System Debugger Version -
-
Intel Secure Device Onboard Version -
-
Intel Sensor Solution Firmware Development Kit Version -
-
Intel Genomics Kernel Library Version -
-
Intel System Studio Version -
-
Cvat Computer Vision Annotation Tool Version -
Each of the following must match for the vulnerability to exist.
-
Siemens Logo Soft Comfort
-
Siemens Spectrum Power 4 Version 4.70 sp7
-
Siemens Spectrum Power 4 Version 4.70 -
-
Siemens Spectrum Power 4 Fixed in Version 4.70
-
Siemens Siveillance Control Pro
-
Siemens Energyip Prepay Version 3.7
-
Siemens Energyip Prepay Version 3.8
-
Siemens Spectrum Power 4 Version 4.70 sp8
-
Siemens Siveillance Identity Version 1.6
-
Siemens Siveillance Identity Version 1.5
-
Siemens Siveillance Command Up to Version 4.16.2.1
-
Siemens Sipass Integrated Version 2.85
-
Siemens Sipass Integrated Version 2.80
-
Siemens Head End System Universal Device Integration System
-
Siemens Gma Manager Fixed in Version 8.6.2j-398
-
Siemens Energyip Version 8.5
-
Siemens Energyip Version 8.6
-
Siemens Energyip Version 8.7
-
Siemens Energyip Version 9.0
-
Siemens Energy Engage Version 3.1
-
Siemens E Car Operation Center Fixed in Version 2021-12-13
-
Siemens Desigo Cc Info Center Version 5.0
-
Siemens Desigo Cc Info Center Version 5.1
-
Siemens Desigo Cc Advanced Reports Version 4.1
-
Siemens Desigo Cc Advanced Reports Version 4.2
-
Siemens Desigo Cc Advanced Reports Version 5.0
-
Siemens Desigo Cc Advanced Reports Version 5.1
-
Siemens Desigo Cc Advanced Reports Version 4.0
-
Siemens Comos
-
Siemens Captial Version 2019.1 sp1912
-
Siemens Navigator Fixed in Version 2021-12-13
-
Siemens Xpedition Package Integrator Version -
-
Siemens Xpedition Enterprise Version -
-
Siemens Vesys Version 2019.1 sp1912
-
Siemens Vesys Version 2019.1
-
Siemens Vesys Fixed in Version 2019.1
-
Siemens Vesys Version 2019.1 -
-
Siemens Teamcenter
-
Siemens Spectrum Power 7 Version 2.30 sp2
-
Siemens Spectrum Power 7 Version 2.30 -
-
Siemens Spectrum Power 7 Fixed in Version 2.30
-
Siemens Spectrum Power 7 Version 2.30
-
Siemens Solid Edge Harness Design Version 2020 sp2002
-
Siemens Solid Edge Harness Design Version 2020 -
-
Siemens Solid Edge Harness Design Fixed in Version 2020
-
Siemens Captial Version 2019.1 -
-
Siemens Solid Edge Harness Design Version 2020
-
Siemens Solid Edge Cam Pro
-
Siemens Siveillance Viewpoint
-
Siemens Siveillance Vantage
-
Siemens Siguard Dsa Version 4.3
-
Siemens Siguard Dsa Version 4.4
-
Siemens Siguard Dsa Version 4.2
-
Siemens Sentron Powermanager Version 4.2
-
Siemens Sentron Powermanager Version 4.1
-
Siemens Operation Scheduler Up to Version 1.1.3
-
Siemens Nx
-
Siemens Opcenter Intelligence Up to Version 3.2
-
Siemens Mindsphere Fixed in Version 2021-12-11
-
Siemens Mendix
-
Siemens Industrial Edge Management Hub Fixed in Version 2021-12-13
-
Siemens Industrial Edge Management
-
Siemens Captial Fixed in Version 2019.1
-
Siemens Tracealertserverplus
-
Debian Linux Version 10.0
-
Debian Linux Version 11.0
-
SonicWall Email Security Fixed in Version 10.0.12
-
Fedora Project Fedora Version 34
-
Fedora Project Fedora Version 35
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Vulnerable Packages
The following package name and versions may be associated with CVE-2021-45046
Package Manager | Vulnerable Package | Versions | Fixed In |
---|---|---|---|
maven | org.apache.logging.log4j:log4j-core | <2.16.0 | 2.16.0 |
maven | com.hazelcast.jet:hazelcast-jet | >= 4.1, < 4.5.3 | 4.5.3 |
maven | com.hazelcast:hazelcast | >= 5.0, < 5.0.2 | 5.0.2 |
maven | com.hazelcast:hazelcast | < 4.0.5 | 4.0.5 |
maven | com.hazelcast:hazelcast | >= 4.1.1, < 4.1.8 | 4.1.8 |
maven | com.hazelcast:hazelcast | >= 4.2, < 4.2.4 | 4.2.4 |