Vulnerability Description
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Log4J | >= 2.0.1, < 2.12.2 |
| Cvat | Computer Vision Annotation Tool | - |
| Intel | Audio Development Kit | - |
| Intel | Datacenter Manager | - |
| Intel | Genomics Kernel Library | - |
| Intel | Oneapi | - |
| Intel | Secure Device Onboard | - |
| Intel | Sensor Solution Firmware Development Kit | - |
| Intel | System Debugger | - |
| Intel | System Studio | - |
| Siemens | Sppa-T3000 Ses3000 Firmware | All versions |
| Siemens | Sppa-T3000 Ses3000 | - |
| Siemens | Captial | < 2019.1 |
| Siemens | Comos | All versions |
| Siemens | Desigo Cc Advanced Reports | 4.0 |
| Siemens | Desigo Cc Info Center | 5.0 |
| Siemens | E-Car Operation Center | < 2021-12-13 |
| Siemens | Energy Engage | 3.1 |
| Siemens | Energyip | 8.5 |
| Siemens | Energyip Prepay | 3.7 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2021/12/14/4Mailing ListMitigationThird Party Advisory
- http://www.openwall.com/lists/oss-security/2021/12/15/3Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2021/12/18/1Mailing ListThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdfThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListRelease Notes
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListRelease Notes
- https://logging.apache.org/log4j/2.x/security.htmlMitigationRelease NotesVendor Advisory
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032Third Party Advisory
- https://security.gentoo.org/glsa/202310-16Third Party Advisory
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aThird Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2021-44228Not Applicable
- https://www.debian.org/security/2021/dsa-5022Third Party Advisory
FAQ
What is CVE-2021-45046?
CVE-2021-45046 is a vulnerability with a CVSS score of 9.0 (CRITICAL). It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) ...
How severe is CVE-2021-45046?
CVE-2021-45046 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-45046?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Log4J, Cvat Computer Vision Annotation Tool, Intel Audio Development Kit, Intel Datacenter Manager, Intel Genomics Kernel Library.