Exploited
critical
9
CWE
502 917 20 400
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

First published: Tue Dec 14 2021(Updated: )

# Impact The fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack. ## Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use. # Mitigation Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (< 2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.formatMsgNoLookups` to `true` do NOT mitigate this specific vulnerability.

Credit: security@apache.org security@apache.org security@apache.org

Affected SoftwareAffected VersionHow to fix
debian/apache-log4j2
2.17.1-1~deb10u1
2.17.0-1~deb10u1
2.17.1-1~deb11u1
2.17.0-1~deb11u1
2.19.0-2
debian/apache-log4j2<=2.15.0-1<=2.15.0-1~deb10u1<=2.15.0-1~deb11u1
2.16.0-1
2.16.0-1~deb11u1
2.16.0-1~deb10u1
redhat/eap7-log4j<0:2.17.1-1.redhat_00001.1.el8ea
0:2.17.1-1.redhat_00001.1.el8ea
redhat/eap7-log4j<0:2.17.1-1.redhat_00001.1.el7ea
0:2.17.1-1.redhat_00001.1.el7ea
redhat/log4j<2.16.0
2.16.0
Apache Log4j>=2.0.1<2.12.2
Apache Log4j>=2.13.0<2.16.0
Apache Log4j=2.0
Apache Log4j=2.0-beta9
Apache Log4j=2.0-rc1
Apache Log4j=2.0-rc2
Intel Audio Development Kit
Intel Computer Vision Annotation Tool
Intel Datacenter Manager
Intel Genomics Kernel Library
Intel Oneapi Eclipse
Intel Secure Device Onboard
Intel Sensor Solution Firmware Development Kit
Intel System Debugger
Intel System Studio
Siemens Sppa-t3000 Ses3000 Firmware
Siemens Sppa-t3000 Ses3000
Siemens Captial<2019.1
Siemens Captial=2019.1
Siemens Captial=2019.1-sp1912
Siemens COMOS
Siemens Desigo Cc Advanced Reports=4.0
Siemens Desigo Cc Advanced Reports=4.1
Siemens Desigo Cc Advanced Reports=4.2
Siemens Desigo Cc Advanced Reports=5.0
Siemens Desigo Cc Advanced Reports=5.1
Siemens Desigo Cc Info Center=5.0
Siemens Desigo Cc Info Center=5.1
Siemens E-car Operation Center<2021-12-13
Siemens Energy Engage=3.1
Siemens Energyip=8.5
Siemens Energyip=8.6
Siemens Energyip=8.7
Siemens Energyip=9.0
Siemens Energyip Prepay=3.7
Siemens Energyip Prepay=3.8
Siemens Gma-manager<8.6.2j-398
Siemens Head-end System Universal Device Integration System
Siemens Industrial Edge Management
Siemens Industrial Edge Management Hub<2021-12-13
Siemens Logo\! Soft Comfort
Siemens Mendix
Siemens Mindsphere<2021-12-11
Siemens Navigator<2021-12-13
Siemens Nx
Siemens Opcenter Intelligence<=3.2
Siemens Operation Scheduler<=1.1.3
Siemens Sentron Powermanager=4.1
Siemens Sentron Powermanager=4.2
Siemens Siguard Dsa=4.2
Siemens Siguard Dsa=4.3
Siemens Siguard Dsa=4.4
Siemens SiPass integrated=2.80
Siemens SiPass integrated=2.85
Siemens Siveillance Command<=4.16.2.1
Siemens Siveillance Control Pro
Siemens Siveillance Identity=1.5
Siemens Siveillance Identity=1.6
Siemens Siveillance Vantage
Siemens Siveillance Viewpoint
Siemens Solid Edge Cam Pro
Siemens Solid Edge Harness Design<2020
Siemens Solid Edge Harness Design=2020
Siemens Solid Edge Harness Design=2020
Siemens Solid Edge Harness Design=2020-sp2002
Siemens Spectrum Power 4<4.70
Siemens Spectrum Power 4=4.70
Siemens Spectrum Power 4=4.70-sp7
Siemens Spectrum Power 4=4.70-sp8
Siemens Spectrum Power 7<2.30
Siemens Spectrum Power 7=2.30
Siemens Spectrum Power 7=2.30
Siemens Spectrum Power 7=2.30-sp2
Siemens Teamcenter
Siemens Tracealertserverplus
Siemens Vesys<2019.1
Siemens Vesys=2019.1
Siemens Vesys=2019.1
Siemens Vesys=2019.1-sp1912
Siemens Xpedition Enterprise
Siemens Xpedition Package Integrator
Debian Debian Linux=10.0
Debian Debian Linux=11.0
SonicWall Email Security<10.0.12
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Siemens 6bk1602-0aa12-0tp0 Firmware<2.7.0
Siemens 6bk1602-0aa12-0tp0
Siemens 6bk1602-0aa22-0tp0 Firmware<2.7.0
Siemens 6bk1602-0aa22-0tp0
Siemens 6bk1602-0aa32-0tp0 Firmware<2.7.0
Siemens 6bk1602-0aa32-0tp0
Siemens 6bk1602-0aa42-0tp0 Firmware<2.7.0
Siemens 6bk1602-0aa42-0tp0
Siemens 6bk1602-0aa52-0tp0 Firmware<2.7.0
Siemens 6bk1602-0aa52-0tp0
maven/org.apache.logging.log4j:log4j-core<2.12.2
2.12.2
maven/org.apache.logging.log4j:log4j-core>=2.13.0<2.16.0
2.16.0
Apache Log4j2
Cvat Computer Vision Annotation Tool
All of
Siemens Sppa-t3000 Ses3000 Firmware
Siemens Sppa-t3000 Ses3000
All of
Siemens 6bk1602-0aa12-0tp0
Siemens 6bk1602-0aa12-0tp0 Firmware<2.7.0
All of
Siemens 6bk1602-0aa22-0tp0
Siemens 6bk1602-0aa22-0tp0 Firmware<2.7.0
All of
Siemens 6bk1602-0aa32-0tp0
Siemens 6bk1602-0aa32-0tp0 Firmware<2.7.0
All of
Siemens 6bk1602-0aa42-0tp0
Siemens 6bk1602-0aa42-0tp0 Firmware<2.7.0
All of
Siemens 6bk1602-0aa52-0tp0
Siemens 6bk1602-0aa52-0tp0 Firmware<2.7.0
>=2.0.1<2.12.2
>=2.13.0<2.16.0
=2.0
=2.0-beta9
=2.0-rc1
=2.0-rc2
All of
<2019.1
=2019.1
=2019.1-sp1912
=4.0
=4.1
=4.2
=5.0
=5.1
=5.0
=5.1
<2021-12-13
=3.1
=8.5
=8.6
=8.7
=9.0
=3.7
=3.8
<8.6.2j-398
<2021-12-13
<2021-12-11
<2021-12-13
<=3.2
<=1.1.3
=4.1
=4.2
=4.2
=4.3
=4.4
=2.80
=2.85
<=4.16.2.1
=1.5
=1.6
<2020
=2020
=2020
=2020-sp2002
<4.70
=4.70
=4.70-sp7
=4.70-sp8
<2.30
=2.30
=2.30
=2.30-sp2
<2019.1
=2019.1
=2019.1
=2019.1-sp1912
=10.0
=11.0
<10.0.12
=34
=35
All of
<2.7.0
All of
<2.7.0
All of
<2.7.0
All of
<2.7.0
All of
<2.7.0

Remedy

https://www.oracle.com/security-alerts/cpujan2022.html

Remedy

For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the impact of CVE-2021-45046?

    The impact of CVE-2021-45046 is critical, with a severity value of 9. It could allow attackers with control over Thread Context Map (MDC) input data to execute arbitrary code.

  • What is the affected software for CVE-2021-45046?

    The affected software includes Apache Log4j2 versions prior to 2.17.1 and certain versions of eap7-log4j, log4j, and org.apache.logging.log4j:log4j-core.

  • How can I fix CVE-2021-45046?

    To fix CVE-2021-45046, update Apache Log4j2 to version 2.17.1 or newer. If using eap7-log4j, log4j, or org.apache.logging.log4j:log4j-core, update to the recommended versions provided by the respective vendors.

  • Where can I find more information about CVE-2021-45046?

    You can find more information about CVE-2021-45046 on the Apache Log4j website, CVE website, NIST National Vulnerability Database, Red Hat Security Advisories, and the Openwall mailing list.

  • What are the CWEs associated with CVE-2021-45046?

    The CWEs associated with CVE-2021-45046 are CWE-20, CWE-502, CWE-400, and CWE-917.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203