Exploited
critical
9
CWE
502 917 20 400
Advisory Published
Advisory Published
Updated

CVE-2021-45046: Apache Log4j2 Deserialization of Untrusted Data Vulnerability

First published: Tue Dec 14 2021(Updated: )

Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

Credit: security@apache.org security@apache.org security@apache.org

Affected SoftwareAffected VersionHow to fix
Apache Log4j2
debian/apache-log4j2<=2.15.0-1<=2.15.0-1~deb10u1<=2.15.0-1~deb11u1
2.16.0-1
2.16.0-1~deb11u1
2.16.0-1~deb10u1
maven/org.apache.logging.log4j:log4j-core<2.12.2
2.12.2
maven/org.apache.logging.log4j:log4j-core>=2.13.0<2.16.0
2.16.0
Apache Log4j>=2.0.1<2.12.2
Apache Log4j>=2.13.0<2.16.0
Apache Log4j=2.0
Apache Log4j=2.0-beta9
Apache Log4j=2.0-rc1
Apache Log4j=2.0-rc2
Apache Log4j2
Intel Computer Vision Annotation Tool
Apache Log4j2
Intel Genomics Kernel Library
Intel Oneapi
Intel Secure Device Onboard
Apache Log4j2
Intel System Debugger
Intel System Studio
Apache Log4j2
Siemens Sppa-t3000 Ses3000
Siemens Captial<2019.1
Siemens Captial=2019.1
Siemens Captial=2019.1-sp1912
Siemens COMOS
Apache Log4j2=4.0
Apache Log4j2=4.1
Apache Log4j2=4.2
Apache Log4j2=5.0
Apache Log4j2=5.1
Apache Log4j2=5.0
Apache Log4j2=5.1
Siemens E-car Operation Center<2021-12-13
Apache Log4j2=3.1
Apache Log4j2=8.5
Apache Log4j2=8.6
Apache Log4j2=8.7
Apache Log4j2=9.0
Siemens Energyip Prepay=3.7
Siemens Energyip Prepay=3.8
Apache Log4j2<8.6.2j-398
Siemens Head-end System Universal Device Integration System
Siemens Industrial Edge Management
Apache Log4j2<2021-12-13
Siemens Logo\! Soft Comfort
Apache Log4j2
Apache Log4j2<2021-12-11
Apache Log4j2<2021-12-13
Apache Log4j2
Siemens Opcenter Intelligence<=3.2
Apache Log4j2<=1.1.3
Apache Log4j2=4.1
Apache Log4j2=4.2
Siemens Siguard Dsa=4.2
Siemens Siguard Dsa=4.3
Siemens Siguard Dsa=4.4
Siemens SiPass integrated=2.80
Siemens SiPass integrated=2.85
Siemens Siveillance Command<=4.16.2.1
Siemens Siveillance Control Pro
Apache Log4j2=1.5
Apache Log4j2=1.6
Apache Log4j2
Apache Log4j2
Apache Log4j2
Siemens Solid Edge Harness Design<2020
Siemens Solid Edge Harness Design=2020
Siemens Solid Edge Harness Design=2020
Siemens Solid Edge Harness Design=2020-sp2002
Siemens Spectrum Power 4<4.70
Siemens Spectrum Power 4=4.70
Siemens Spectrum Power 4=4.70-sp7
Siemens Spectrum Power 4=4.70-sp8
Siemens Spectrum Power 7<2.30
Siemens Spectrum Power 7=2.30
Siemens Spectrum Power 7=2.30
Siemens Spectrum Power 7=2.30-sp2
Apache Log4j2
Siemens Tracealertserverplus
Apache Log4j2<2019.1
Apache Log4j2=2019.1
Apache Log4j2=2019.1
Apache Log4j2=2019.1-sp1912
Apache Log4j2
Siemens Xpedition Package Integrator
Debian Debian Linux=10.0
Debian Debian Linux=11.0
SonicWall Email Security<10.0.12
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Apache Log4j2<2.7.0
Apache Log4j2
Apache Log4j2<2.7.0
Siemens 6bk1602-0aa22-0tp0
Siemens 6bk1602-0aa32-0tp0 Firmware<2.7.0
Apache Log4j2
Apache Log4j2<2.7.0
Siemens 6bk1602-0aa42-0tp0
Siemens 6bk1602-0aa52-0tp0 Firmware<2.7.0
Siemens 6bk1602-0aa52-0tp0
>=2.0.1<2.12.2
>=2.13.0<2.16.0
=2.0
=2.0-beta9
=2.0-rc1
=2.0-rc2
All of
<2019.1
=2019.1
=2019.1-sp1912
=4.0
=4.1
=4.2
=5.0
=5.1
=5.0
=5.1
<2021-12-13
=3.1
=8.5
=8.6
=8.7
=9.0
=3.7
=3.8
<8.6.2j-398
<2021-12-13
<2021-12-11
<2021-12-13
<=3.2
<=1.1.3
=4.1
=4.2
=4.2
=4.3
=4.4
=2.80
=2.85
<=4.16.2.1
=1.5
=1.6
<2020
=2020
=2020
=2020-sp2002
<4.70
=4.70
=4.70-sp7
=4.70-sp8
<2.30
=2.30
=2.30
=2.30-sp2
<2019.1
=2019.1
=2019.1
=2019.1-sp1912
=10.0
=11.0
<10.0.12
=34
=35
All of
<2.7.0
All of
<2.7.0
All of
<2.7.0
All of
<2.7.0
All of
<2.7.0
redhat/log4j<2.16.0
2.16.0
redhat/eap7-log4j<0:2.17.1-1.redhat_00001.1.el8ea
0:2.17.1-1.redhat_00001.1.el8ea
redhat/eap7-log4j<0:2.17.1-1.redhat_00001.1.el7ea
0:2.17.1-1.redhat_00001.1.el7ea
debian/apache-log4j2
2.17.1-1~deb10u1
2.17.0-1~deb10u1
2.17.1-1~deb11u1
2.17.0-1~deb11u1
2.19.0-2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the impact of CVE-2021-45046?

    The impact of CVE-2021-45046 is critical, with a severity value of 9. It could allow attackers with control over Thread Context Map (MDC) input data to execute arbitrary code.

  • What is the affected software for CVE-2021-45046?

    The affected software includes Apache Log4j2 versions prior to 2.17.1 and certain versions of eap7-log4j, log4j, and org.apache.logging.log4j:log4j-core.

  • How can I fix CVE-2021-45046?

    To fix CVE-2021-45046, update Apache Log4j2 to version 2.17.1 or newer. If using eap7-log4j, log4j, or org.apache.logging.log4j:log4j-core, update to the recommended versions provided by the respective vendors.

  • Where can I find more information about CVE-2021-45046?

    You can find more information about CVE-2021-45046 on the Apache Log4j website, CVE website, NIST National Vulnerability Database, Red Hat Security Advisories, and the Openwall mailing list.

  • What are the CWEs associated with CVE-2021-45046?

    The CWEs associated with CVE-2021-45046 are CWE-20, CWE-502, CWE-400, and CWE-917.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203