Vulnerabilities > CVE-2021-45046 - Expression Language Injection vulnerability in multiple products
Summary
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Related news
- Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released (source)
- Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability (source)
- New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability (source)
- Bad things come in threes: Apache reveals another Log4J bug (source)
- NVIDIA discloses applications impacted by Log4j vulnerability (source)
- CISA releases Apache Log4j scanner to find vulnerable apps (source)
- ‘Hack DHS’ bug bounty program expands to Log4j security flaws (source)
- CISA, FBI and NSA Publish Joint Advisory and Scanner for Log4j Vulnerabilities (source)
- New Apache Log4j Update Released to Patch Newly Discovered Vulnerability (source)
- FTC warns companies to secure consumer data from Log4J attacks (source)
- Microsoft Warns of Continued Attacks Exploiting Apache Log4j Vulnerabilities (source)
- NHS warns of hackers exploiting Log4Shell in VMware Horizon (source)
- Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected (source)
References
- http://www.openwall.com/lists/oss-security/2021/12/14/4
- https://logging.apache.org/log4j/2.x/security.html
- https://www.cve.org/CVERecord?id=CVE-2021-44228
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- http://www.openwall.com/lists/oss-security/2021/12/15/3
- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
- https://www.kb.cert.org/vuls/id/930724
- https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
- https://www.debian.org/security/2021/dsa-5022
- https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
- http://www.openwall.com/lists/oss-security/2021/12/18/1
- https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/
- https://security.gentoo.org/glsa/202310-16