CVE-2021-45046 - Vulnerability Details

CVE-2021-45046 - Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is in the KEV database since May 1, 2023.

Exploitation active

Automatable no

Technical Impact total

Vendors	Products
Apache	Log4j
Cvat	Computer Vision Annotation Tool
Debian	Debian Linux
Fedoraproject	Fedora
Intel	Audio Development Kit Datacenter Manager Genomics Kernel Library Oneapi Secure Device Onboard Sensor Solution Firmware Development Kit System Debugger System Studio
Redhat	Amq Streams Camel Quarkus Integration Jboss Data Grid Jboss Enterprise Application Platform Jboss Fuse Logging Openshift Openshift Application Runtimes
Siemens	6bk1602-0aa12-0tp0 6bk1602-0aa12-0tp0 Firmware 6bk1602-0aa22-0tp0 6bk1602-0aa22-0tp0 Firmware 6bk1602-0aa32-0tp0 6bk1602-0aa32-0tp0 Firmware 6bk1602-0aa42-0tp0 6bk1602-0aa42-0tp0 Firmware 6bk1602-0aa52-0tp0 6bk1602-0aa52-0tp0 Firmware Captial Comos Desigo Cc Advanced Reports Desigo Cc Info Center E-car Operation Center Energy Engage Energyip Energyip Prepay Gma-manager Head-end System Universal Device Integration System Industrial Edge Management Industrial Edge Management Hub Logo\! Soft Comfort Mendix Mindsphere Navigator Nx Opcenter Intelligence Operation Scheduler Sentron Powermanager Siguard Dsa Sipass Integrated Siveillance Command Siveillance Control Pro Siveillance Identity Siveillance Vantage Siveillance Viewpoint Solid Edge Cam Pro Solid Edge Harness Design Spectrum Power 4 Spectrum Power 7 Sppa-t3000 Ses3000 Sppa-t3000 Ses3000 Firmware Teamcenter Tracealertserverplus Vesys Xpedition Enterprise Xpedition Package Integrator
Sonicwall	Email Security

Configuration 1 [-]

OR	cpe:2.3:a:apache:log4j::::::::
	cpe:2.3:a:apache:log4j::::::::
	cpe:2.3:a:apache:log4j:2.0:-::::::
	cpe:2.3:a:apache:log4j:2.0:beta9::::::
	cpe:2.3:a:apache:log4j:2.0:rc1::::::
	cpe:2.3:a:apache:log4j:2.0:rc2::::::

Configuration 2 [-]

OR	cpe:2.3:a:cvat:computer_vision_annotation_tool:-:::::::*
	cpe:2.3:a:intel:audio_development_kit:-:::::::*
	cpe:2.3:a:intel:datacenter_manager:-:::::::*
	cpe:2.3:a:intel:genomics_kernel_library:-:::::::*
	cpe:2.3:a:intel:oneapi:-:::::eclipse::
	cpe:2.3:a:intel:secure_device_onboard:-:::::::*
	cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:::::::*
	cpe:2.3:a:intel:system_debugger:-:::::::*
	cpe:2.3:a:intel:system_studio:-:::::::*

Configuration 3 [-]

AND

cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:sppa-t3000_ses3000:-:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:a:siemens:captial::::::::
	cpe:2.3:a:siemens:captial:2019.1:-::::::
	cpe:2.3:a:siemens:captial:2019.1:sp1912::::::
	cpe:2.3:a:siemens:comos::::::::
	cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:::::::*
	cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:::::::*
	cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.2:::::::*
	cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.0:::::::*
	cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.1:::::::*
	cpe:2.3:a:siemens:desigo_cc_info_center:5.0:::::::*
	cpe:2.3:a:siemens:desigo_cc_info_center:5.1:::::::*
	cpe:2.3:a:siemens:e-car_operation_center::::::::
	cpe:2.3:a:siemens:energy_engage:3.1:::::::*
	cpe:2.3:a:siemens:energyip:8.5:::::::*
	cpe:2.3:a:siemens:energyip:8.6:::::::*
	cpe:2.3:a:siemens:energyip:8.7:::::::*
	cpe:2.3:a:siemens:energyip:9.0:::::::*
	cpe:2.3:a:siemens:energyip_prepay:3.7:::::::*
	cpe:2.3:a:siemens:energyip_prepay:3.8:::::::*
	cpe:2.3:a:siemens:gma-manager::::::::
	cpe:2.3:a:siemens:head-end_system_universal_device_integration_system::::::::
	cpe:2.3:a:siemens:industrial_edge_management::::::::
	cpe:2.3:a:siemens:industrial_edge_management_hub::::::::
	cpe:2.3:a:siemens:logo\!_soft_comfort::::::::
	cpe:2.3:a:siemens:mendix::::::::
	cpe:2.3:a:siemens:mindsphere::::::::
	cpe:2.3:a:siemens:navigator::::::::
	cpe:2.3:a:siemens:nx::::::::
	cpe:2.3:a:siemens:opcenter_intelligence::::::::
	cpe:2.3:a:siemens:operation_scheduler::::::::
	cpe:2.3:a:siemens:sentron_powermanager:4.1:::::::*
	cpe:2.3:a:siemens:sentron_powermanager:4.2:::::::*
	cpe:2.3:a:siemens:siguard_dsa:4.2:::::::*
	cpe:2.3:a:siemens:siguard_dsa:4.3:::::::*
	cpe:2.3:a:siemens:siguard_dsa:4.4:::::::*
	cpe:2.3:a:siemens:sipass_integrated:2.80:::::::*
	cpe:2.3:a:siemens:sipass_integrated:2.85:::::::*
	cpe:2.3:a:siemens:siveillance_command::::::::
	cpe:2.3:a:siemens:siveillance_control_pro::::::::
	cpe:2.3:a:siemens:siveillance_identity:1.5:::::::*
	cpe:2.3:a:siemens:siveillance_identity:1.6:::::::*
	cpe:2.3:a:siemens:siveillance_vantage::::::::
	cpe:2.3:a:siemens:siveillance_viewpoint::::::::
	cpe:2.3:a:siemens:solid_edge_cam_pro::::::::
	cpe:2.3:a:siemens:solid_edge_harness_design::::::::
	cpe:2.3:a:siemens:solid_edge_harness_design:2020:::::::*
	cpe:2.3:a:siemens:solid_edge_harness_design:2020:-::::::
	cpe:2.3:a:siemens:solid_edge_harness_design:2020:sp2002::::::
	cpe:2.3:a:siemens:spectrum_power_4::::::::
	cpe:2.3:a:siemens:spectrum_power_4:4.70:-::::::
	cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7::::::
	cpe:2.3:a:siemens:spectrum_power_4:4.70:sp8::::::
	cpe:2.3:a:siemens:spectrum_power_7::::::::
	cpe:2.3:a:siemens:spectrum_power_7:2.30:::::::*
	cpe:2.3:a:siemens:spectrum_power_7:2.30:-::::::
	cpe:2.3:a:siemens:spectrum_power_7:2.30:sp2::::::
	cpe:2.3:a:siemens:teamcenter::::::::
	cpe:2.3:a:siemens:tracealertserverplus::::::::
	cpe:2.3:a:siemens:vesys::::::::
	cpe:2.3:a:siemens:vesys:2019.1:::::::*
	cpe:2.3:a:siemens:vesys:2019.1:-::::::
	cpe:2.3:a:siemens:vesys:2019.1:sp1912::::::
	cpe:2.3:a:siemens:xpedition_enterprise:-:::::::*
	cpe:2.3:a:siemens:xpedition_package_integrator:-:::::::*

Configuration 5 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 6 [-]

cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:*

Configuration 7 [-]

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 8 [-]

AND

cpe:2.3:h:siemens:6bk1602-0aa12-0tp0:-:*:*:*:*:*:*:*

cpe:2.3:o:siemens:6bk1602-0aa12-0tp0_firmware:*:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:h:siemens:6bk1602-0aa22-0tp0:-:*:*:*:*:*:*:*

cpe:2.3:o:siemens:6bk1602-0aa22-0tp0_firmware:*:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:h:siemens:6bk1602-0aa32-0tp0:-:*:*:*:*:*:*:*

cpe:2.3:o:siemens:6bk1602-0aa32-0tp0_firmware:*:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:h:siemens:6bk1602-0aa42-0tp0:-:*:*:*:*:*:*:*

cpe:2.3:o:siemens:6bk1602-0aa42-0tp0_firmware:*:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:h:siemens:6bk1602-0aa52-0tp0:-:*:*:*:*:*:*:*

cpe:2.3:o:siemens:6bk1602-0aa52-0tp0_firmware:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
EAP 7.4.4 release
log4j-core	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2022:1299	2022-04-11T00:00:00Z
EAP 7.4 log4j async
log4j-core	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2022:0216	2022-01-20T00:00:00Z
OpenShift Logging 5.0
openshift-logging/elasticsearch6-rhel8:v5.0.10-1	cpe:/a:redhat:logging:5.0::el8	RHSA-2021:5137	2021-12-14T00:00:00Z
OpenShift Logging 5.1
openshift-logging/elasticsearch6-rhel8:v6.8.1-67	cpe:/a:redhat:logging:5.1::el8	RHSA-2021:5128	2021-12-14T00:00:00Z
OpenShift Logging 5.2
openshift-logging/elasticsearch6-rhel8:v6.8.1-66	cpe:/a:redhat:logging:5.2::el8	RHSA-2021:5127	2021-12-14T00:00:00Z
OpenShift Logging 5.3
openshift-logging/elasticsearch6-rhel8:v6.8.1-65	cpe:/a:redhat:logging:5.3::el8	RHSA-2021:5129	2021-12-14T00:00:00Z
Red Hat AMQ Streams 2.0.0
	cpe:/a:redhat:amq_streams:2	RHSA-2022:0138	2022-01-13T00:00:00Z
Red Hat Data Grid 8.2.3
log4j-core	cpe:/a:redhat:jboss_data_grid:8.2	RHSA-2022:0205	2022-01-20T00:00:00Z
Red Hat Fuse 7.8.2, 7.9.1, 7.10.1
log4j-core	cpe:/a:redhat:jboss_fuse:7	RHSA-2022:0203	2022-01-20T00:00:00Z
Red Hat Integration Camel Extensions for Quarkus 2.2
log4j-core	cpe:/a:redhat:camel_quarkus:2.2	RHSA-2022:0222	2022-01-20T00:00:00Z
Red Hat Integration Camel-K 1.6.3
log4j-core	cpe:/a:redhat:integration:1	RHSA-2022:0223	2022-01-20T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2022:1297	2022-04-11T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2022:1296	2022-04-11T00:00:00Z
Red Hat OpenShift Container Platform 3.11
openshift3/ose-logging-elasticsearch5:v3.11.570-2.gd119820	cpe:/a:redhat:openshift:3.11::el7	RHSA-2021:5094	2021-12-14T00:00:00Z
Red Hat OpenShift Container Platform 4.6
openshift4/ose-logging-elasticsearch6:v4.6.0-202112132021.p0.g2a13a81.assembly.stream	cpe:/a:redhat:openshift:4.6::el8	RHSA-2021:5106	2021-12-16T00:00:00Z
openshift4/ose-metering-hive:v4.6.0-202112140546.p0.g8b9da97.assembly.stream	cpe:/a:redhat:openshift:4.6::el8	RHSA-2021:5106	2021-12-16T00:00:00Z
openshift4/ose-metering-presto:v4.6.0-202112150545.p0.g190688a.assembly.art3595	cpe:/a:redhat:openshift:4.6::el8	RHSA-2021:5141	2021-12-16T00:00:00Z
Red Hat OpenShift Container Platform 4.7
openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream	cpe:/a:redhat:openshift:4.7::el8	RHSA-2021:5107	2021-12-16T00:00:00Z
openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40	cpe:/a:redhat:openshift:4.7::el8	RHSA-2021:5107	2021-12-16T00:00:00Z
Red Hat OpenShift Container Platform 4.8
openshift4/ose-metering-hive:v4.8.0-202112132154.p0.g57dd03a.assembly.stream	cpe:/a:redhat:openshift:4.8::el8	RHSA-2021:5108	2021-12-14T00:00:00Z
openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599	cpe:/a:redhat:openshift:4.8::el8	RHSA-2021:5148	2021-12-15T00:00:00Z
Vert.x 4.1.8
log4j-core	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2022:0083	2022-01-20T00:00:00Z

References

Link	Providers
http://www.openwall.com/lists/oss-security/2021/12/14/4
http://www.openwall.com/lists/oss-security/2021/12/15/3
http://www.openwall.com/lists/oss-security/2021/12/18/1
https://access.redhat.com/security/cve/CVE-2021-44228
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/
https://logging.apache.org/log4j/2.x/security.html
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
https://security.gentoo.org/glsa/202310-16
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://www.cve.org/CVERecord?id=CVE-2021-44228
https://www.cve.org/CVERecord?id=CVE-2021-45046
https://www.debian.org/security/2021/dsa-5022
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
https://www.kb.cert.org/vuls/id/930724
https://www.openwall.com/lists/oss-security/2021/12/14/4
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html

History

Wed, 05 Feb 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2023-05-01'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 31 Oct 2024 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cvat Cvat computer Vision Annotation Tool
CPEs	cpe:2.3:a:intel:computer_vision_annotation_tool:-:::::::*	cpe:2.3:a:cvat:computer_vision_annotation_tool:-:::::::*
Vendors & Products	Intel computer Vision Annotation Tool	Cvat Cvat computer Vision Annotation Tool

Wed, 14 Aug 2024 00:45:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2021-12-14T16:55:09.000Z

Updated: 2025-02-13T16:28:47.212Z

Reserved: 2021-12-14T00:00:00.000Z

Link: CVE-2021-45046

Vulnrichment

Updated: 2024-08-04T04:32:13.624Z

NVD

Status : Modified

Published: 2021-12-14T19:15:07.733

Modified: 2025-02-04T20:15:45.010

Link: CVE-2021-45046

Redhat

Severity : Moderate

Publid Date: 2021-12-14T00:00:00Z

Links: CVE-2021-45046 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation active

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object