CVE-2021-45046
Last modified
CVE-2021-45046 is a critical-severity vulnerability rated 9/10 on the CVSS scale. It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. CISA has confirmed active exploitation in the wild. EPSS estimates a 99.98% chance of exploitation in the next 30 days.
Description
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitation Status
This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Log4j | >= 2.0.1, < 2.12.2 |
| Apache | Log4j | >= 2.13.0, < 2.16.0 |
| Apache | Log4j | 2.0 |
| Cvat | Computer Vision Annotation Tool | All versions |
| Intel | Audio Development Kit | All versions |
| Intel | Datacenter Manager | All versions |
| Intel | Genomics Kernel Library | All versions |
| Intel | Oneapi | All versions |
| Intel | Secure Device Onboard | All versions |
| Intel | Sensor Solution Firmware Development Kit | All versions |
| Intel | System Debugger | All versions |
| Intel | System Studio | All versions |
| Siemens | Sppa-T3000 Ses3000 Firmware | All versions |
| Siemens | Captial | < 2019.1 |
| Siemens | Captial | 2019.1 |
| Siemens | Comos | All versions |
| Siemens | Desigo Cc Advanced Reports | 4.0 |
| Siemens | Desigo Cc Advanced Reports | 4.1 |
| Siemens | Desigo Cc Advanced Reports | 4.2 |
| Siemens | Desigo Cc Advanced Reports | 5.0 |
| Siemens | Desigo Cc Advanced Reports | 5.1 |
| Siemens | Desigo Cc Info Center | 5.0 |
| Siemens | Desigo Cc Info Center | 5.1 |
| Siemens | E-Car Operation Center | < 2021-12-13 |
| Siemens | Energy Engage | 3.1 |
| Siemens | Energyip | 8.5 |
| Siemens | Energyip | 8.6 |
| Siemens | Energyip | 8.7 |
| Siemens | Energyip | 9.0 |
| Siemens | Energyip Prepay | 3.7 |
| Siemens | Energyip Prepay | 3.8 |
| Siemens | Gma-Manager | < 8.6.2j-398 |
| Siemens | Head-End System Universal Device Integration System | All versions |
| Siemens | Industrial Edge Management | All versions |
| Siemens | Industrial Edge Management Hub | < 2021-12-13 |
| Siemens | Logo\! Soft Comfort | All versions |
| Siemens | Mendix | All versions |
| Siemens | Mindsphere | < 2021-12-11 |
| Siemens | Navigator | < 2021-12-13 |
| Siemens | Nx | All versions |
| Siemens | Opcenter Intelligence | <= 3.2 |
| Siemens | Operation Scheduler | <= 1.1.3 |
| Siemens | Sentron Powermanager | 4.1 |
| Siemens | Sentron Powermanager | 4.2 |
| Siemens | Siguard Dsa | 4.2 |
| Siemens | Siguard Dsa | 4.3 |
| Siemens | Siguard Dsa | 4.4 |
| Siemens | Sipass Integrated | 2.80 |
| Siemens | Sipass Integrated | 2.85 |
| Siemens | Siveillance Command | <= 4.16.2.1 |
Showing 50 of 78 affected configurations. See NVD for the full list.
References
- http://www.openwall.com/lists/oss-security/2021/12/14/4Mailing List, Mitigation, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2021/12/15/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2021/12/18/1Mailing List, Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdfThird Party Advisory
- https://logging.apache.org/log4j/2.x/security.htmlMitigation, Release Notes, Vendor Advisory
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032Third Party Advisory
- https://security.gentoo.org/glsa/202310-16Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2021-44228Not Applicable
- https://www.debian.org/security/2021/dsa-5022Third Party Advisory
- https://www.kb.cert.org/vuls/id/930724Third Party Advisory, US Government Resource
- https://www.oracle.com/security-alerts/alert-cve-2021-44228.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
- http://www.openwall.com/lists/oss-security/2021/12/14/4Mailing List, Mitigation, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2021/12/15/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2021/12/18/1Mailing List, Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdfThird Party Advisory
- https://logging.apache.org/log4j/2.x/security.htmlMitigation, Release Notes, Vendor Advisory
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032Third Party Advisory
- https://security.gentoo.org/glsa/202310-16Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2021-44228Not Applicable
- https://www.debian.org/security/2021/dsa-5022Third Party Advisory
- https://www.kb.cert.org/vuls/id/930724Third Party Advisory, US Government Resource
- https://www.oracle.com/security-alerts/alert-cve-2021-44228.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046US Government Resource
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2021-45046?
How severe is CVE-2021-45046?
How do I fix CVE-2021-45046?
Are you affected by CVE-2021-45046?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST