⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2023-05-22.

CVE-2021-45046

CWE-917CWE-20Improper Input ValidationCWE-502Deserialization of Untrusted DataCWE-674Uncontrolled Recursion36 documents22 sources
Severity
9.0CRITICAL
EPSS
94.3%
top 0.04%
CISA KEV
KEVRansomware
Added 2023-05-01
Due 2023-05-22
Exploit
Exploited in wild
Active exploitation observed
Affected products
32
Apache Software Foundation Apache Log4jApache Log4jSiemens 6bk1602-0aa12-0tp0 Firmware+29 more
Timeline
PublishedDec 14
KEV addedMay 1
KEV dueMay 22
CISA Required Action: Apply updates per vendor instructions.

Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execu

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.2 | Impact: 6.0

Affected Packages33 packages

Mavenorg.apache.logging.log4j:log4j-core2.13.02.16.0+1
CVEListV5apache_software_foundation/apache_log4jApache Log4j22.16.0
NVDapache/log4j2.0.12.12.2+2
Debianapache-log4j2< 2.16.0-1~deb11u1+3

Also affects: Debian Linux 10.0, 11.0, Fedora 34, 35

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

5
OSV
CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j 22021-12-14
OSV
Incomplete fix for Apache Log4j vulnerability2021-12-14
CVEList
Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack2021-12-14
GHSA
Incomplete fix for Apache Log4j vulnerability2021-12-14
VulnCheck
Apache Log4j2 Deserialization of Untrusted Data Vulnerability2021

💥Exploits & PoCs

2
Nuclei
Apache Log4j2 - Remote Code Injection
Nuclei
Apache Log4j2 - Remote Code Injection

📋Vendor Advisories

7
CISA
Apache Log4j2 Deserialization of Untrusted Data Vulnerability2023-05-01
Ubuntu
Apache Log4j 2 vulnerability2021-12-15
Red Hat
log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)2021-12-14
VMware
VMware Response to Apache Log4j Remote Code Execution Vulnerabilities (CVE-2021-44228, CVE-2021-45046)2021-12-10
Cisco
Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 20212021-12-10

🕵️Threat Intelligence

13
Elastic
Analysis of Log4Shell vulnerability & CVE-2021-45046 — Elastic Security Labs2022-11-30
Elastic
Analysis of Log4Shell vulnerability &amp; CVE-2021-45046 — Elastic Security Labs2022-11-30
Sentinelone
Log4j One Month On | Crimeware and Exploitation Roundup2022-01-10
Sentinelone
Log4j One Month On | Crimeware and Exploitation Roundup2022-01-10
Qualys
6 Ways to Quickly Detect a Log4Shell Exploit in Your Environment2021-12-20