CVE-2021-45046

CRITICALImmediate

Published:Dec 14, 2021(4 years ago)

Modified:Oct 27, 2025

Remote ExploitNo Auth RequiredNo InteractionScope Changes

Vulnerability Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Attack Characteristics

Network AccessHigh ComplexityNo Auth NeededNo User Interaction

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

Vendor	Product	Versions	Fixed In
apache	log4j	2.0.1 - 2.12.2	-
apache	log4j	2.13.0 - 2.16.0

Timeline

Published
CVE disclosed publicly
Dec 14, 20214 years ago
Last Modified
Most recent update
Oct 27, 20256 months ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20261 month ago

References

http://www.openwall.com/lists/oss-security/2021/12/14/4Mailing List
http://www.openwall.com/lists/oss-security/2021/12/15/3Mailing List
http://www.openwall.com/lists/oss-security/2021/12/18/1Mailing List

CVSS Score

v3.1

9.0/ 10.0

CRITICAL

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

At a Glance

Affected Products

References

apache / log4j

https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdfThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdfThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdfThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists...Mailing List

https://logging.apache.org/log4j/2.x/security.htmlMitigation

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032Third Party Advisory

https://security.gentoo.org/glsa/202310-16Third Party Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/...Third Party Advisory

https://www.cve.org/CVERecord?id=CVE-2021-44228Not Applicable

https://www.debian.org/security/2021/dsa-5022Third Party Advisory

https://www.intel.com/content/www/us/en/security-center/advisory/intel...Third Party Advisory

https://www.kb.cert.org/vuls/id/930724Third Party Advisory

https://www.oracle.com/security-alerts/alert-cve-2021-44228.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.htmlPatch

https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/12/14/4Mailing List

http://www.openwall.com/lists/oss-security/2021/12/15/3Mailing List

http://www.openwall.com/lists/oss-security/2021/12/18/1Mailing List