First published: Tue Dec 14 2021(Updated: )
Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Log4j2 | ||
debian/apache-log4j2 | <=2.15.0-1<=2.15.0-1~deb10u1<=2.15.0-1~deb11u1 | 2.16.0-1 2.16.0-1~deb11u1 2.16.0-1~deb10u1 |
maven/org.apache.logging.log4j:log4j-core | <2.12.2 | 2.12.2 |
maven/org.apache.logging.log4j:log4j-core | >=2.13.0<2.16.0 | 2.16.0 |
Apache Log4j | >=2.0.1<2.12.2 | |
Apache Log4j | >=2.13.0<2.16.0 | |
Apache Log4j | =2.0 | |
Apache Log4j | =2.0-beta9 | |
Apache Log4j | =2.0-rc1 | |
Apache Log4j | =2.0-rc2 | |
Apache Log4j2 | ||
Intel Computer Vision Annotation Tool | ||
Apache Log4j2 | ||
Intel Genomics Kernel Library | ||
Intel Oneapi | ||
Intel Secure Device Onboard | ||
Apache Log4j2 | ||
Intel System Debugger | ||
Intel System Studio | ||
Apache Log4j2 | ||
Siemens Sppa-t3000 Ses3000 | ||
Siemens Captial | <2019.1 | |
Siemens Captial | =2019.1 | |
Siemens Captial | =2019.1-sp1912 | |
Siemens COMOS | ||
Apache Log4j2 | =4.0 | |
Apache Log4j2 | =4.1 | |
Apache Log4j2 | =4.2 | |
Apache Log4j2 | =5.0 | |
Apache Log4j2 | =5.1 | |
Apache Log4j2 | =5.0 | |
Apache Log4j2 | =5.1 | |
Siemens E-car Operation Center | <2021-12-13 | |
Apache Log4j2 | =3.1 | |
Apache Log4j2 | =8.5 | |
Apache Log4j2 | =8.6 | |
Apache Log4j2 | =8.7 | |
Apache Log4j2 | =9.0 | |
Siemens Energyip Prepay | =3.7 | |
Siemens Energyip Prepay | =3.8 | |
Apache Log4j2 | <8.6.2j-398 | |
Siemens Head-end System Universal Device Integration System | ||
Siemens Industrial Edge Management | ||
Apache Log4j2 | <2021-12-13 | |
Siemens Logo\! Soft Comfort | ||
Apache Log4j2 | ||
Apache Log4j2 | <2021-12-11 | |
Apache Log4j2 | <2021-12-13 | |
Apache Log4j2 | ||
Siemens Opcenter Intelligence | <=3.2 | |
Apache Log4j2 | <=1.1.3 | |
Apache Log4j2 | =4.1 | |
Apache Log4j2 | =4.2 | |
Siemens Siguard Dsa | =4.2 | |
Siemens Siguard Dsa | =4.3 | |
Siemens Siguard Dsa | =4.4 | |
Siemens SiPass integrated | =2.80 | |
Siemens SiPass integrated | =2.85 | |
Siemens Siveillance Command | <=4.16.2.1 | |
Siemens Siveillance Control Pro | ||
Apache Log4j2 | =1.5 | |
Apache Log4j2 | =1.6 | |
Apache Log4j2 | ||
Apache Log4j2 | ||
Apache Log4j2 | ||
Siemens Solid Edge Harness Design | <2020 | |
Siemens Solid Edge Harness Design | =2020 | |
Siemens Solid Edge Harness Design | =2020 | |
Siemens Solid Edge Harness Design | =2020-sp2002 | |
Siemens Spectrum Power 4 | <4.70 | |
Siemens Spectrum Power 4 | =4.70 | |
Siemens Spectrum Power 4 | =4.70-sp7 | |
Siemens Spectrum Power 4 | =4.70-sp8 | |
Siemens Spectrum Power 7 | <2.30 | |
Siemens Spectrum Power 7 | =2.30 | |
Siemens Spectrum Power 7 | =2.30 | |
Siemens Spectrum Power 7 | =2.30-sp2 | |
Apache Log4j2 | ||
Siemens Tracealertserverplus | ||
Apache Log4j2 | <2019.1 | |
Apache Log4j2 | =2019.1 | |
Apache Log4j2 | =2019.1 | |
Apache Log4j2 | =2019.1-sp1912 | |
Apache Log4j2 | ||
Siemens Xpedition Package Integrator | ||
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
SonicWall Email Security | <10.0.12 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Apache Log4j2 | <2.7.0 | |
Apache Log4j2 | ||
Apache Log4j2 | <2.7.0 | |
Siemens 6bk1602-0aa22-0tp0 | ||
Siemens 6bk1602-0aa32-0tp0 Firmware | <2.7.0 | |
Apache Log4j2 | ||
Apache Log4j2 | <2.7.0 | |
Siemens 6bk1602-0aa42-0tp0 | ||
Siemens 6bk1602-0aa52-0tp0 Firmware | <2.7.0 | |
Siemens 6bk1602-0aa52-0tp0 | ||
>=2.0.1<2.12.2 | ||
>=2.13.0<2.16.0 | ||
=2.0 | ||
=2.0-beta9 | ||
=2.0-rc1 | ||
=2.0-rc2 | ||
All of | ||
<2019.1 | ||
=2019.1 | ||
=2019.1-sp1912 | ||
=4.0 | ||
=4.1 | ||
=4.2 | ||
=5.0 | ||
=5.1 | ||
=5.0 | ||
=5.1 | ||
<2021-12-13 | ||
=3.1 | ||
=8.5 | ||
=8.6 | ||
=8.7 | ||
=9.0 | ||
=3.7 | ||
=3.8 | ||
<8.6.2j-398 | ||
<2021-12-13 | ||
<2021-12-11 | ||
<2021-12-13 | ||
<=3.2 | ||
<=1.1.3 | ||
=4.1 | ||
=4.2 | ||
=4.2 | ||
=4.3 | ||
=4.4 | ||
=2.80 | ||
=2.85 | ||
<=4.16.2.1 | ||
=1.5 | ||
=1.6 | ||
<2020 | ||
=2020 | ||
=2020 | ||
=2020-sp2002 | ||
<4.70 | ||
=4.70 | ||
=4.70-sp7 | ||
=4.70-sp8 | ||
<2.30 | ||
=2.30 | ||
=2.30 | ||
=2.30-sp2 | ||
<2019.1 | ||
=2019.1 | ||
=2019.1 | ||
=2019.1-sp1912 | ||
=10.0 | ||
=11.0 | ||
<10.0.12 | ||
=34 | ||
=35 | ||
All of | ||
<2.7.0 | ||
All of | ||
<2.7.0 | ||
All of | ||
<2.7.0 | ||
All of | ||
<2.7.0 | ||
All of | ||
<2.7.0 | ||
redhat/log4j | <2.16.0 | 2.16.0 |
redhat/eap7-log4j | <0:2.17.1-1.redhat_00001.1.el8ea | 0:2.17.1-1.redhat_00001.1.el8ea |
redhat/eap7-log4j | <0:2.17.1-1.redhat_00001.1.el7ea | 0:2.17.1-1.redhat_00001.1.el7ea |
debian/apache-log4j2 | 2.17.1-1~deb10u1 2.17.0-1~deb10u1 2.17.1-1~deb11u1 2.17.0-1~deb11u1 2.19.0-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The impact of CVE-2021-45046 is critical, with a severity value of 9. It could allow attackers with control over Thread Context Map (MDC) input data to execute arbitrary code.
The affected software includes Apache Log4j2 versions prior to 2.17.1 and certain versions of eap7-log4j, log4j, and org.apache.logging.log4j:log4j-core.
To fix CVE-2021-45046, update Apache Log4j2 to version 2.17.1 or newer. If using eap7-log4j, log4j, or org.apache.logging.log4j:log4j-core, update to the recommended versions provided by the respective vendors.
You can find more information about CVE-2021-45046 on the Apache Log4j website, CVE website, NIST National Vulnerability Database, Red Hat Security Advisories, and the Openwall mailing list.
The CWEs associated with CVE-2021-45046 are CWE-20, CWE-502, CWE-400, and CWE-917.