CVE-2021-45046

14.12.2021, 19:15

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Expression Language Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9 CRITICAL	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
apache	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	9 CRITICAL	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
apache	log4j	2.0.1 ≤ 𝑥 < 2.12.2
apache	log4j	2.13.0 ≤ 𝑥 < 2.16.0
apache	log4j	2.0
apache	log4j	2.0:beta9
apache	log4j	2.0:rc1
apache	log4j	2.0:rc2
cvat	computer_vision_annotation_tool	-
intel	audio_development_kit	-
intel	datacenter_manager	-
intel	genomics_kernel_library	-
intel	oneapi	-
intel	secure_device_onboard	-
intel	sensor_solution_firmware_development_kit	-
intel	system_debugger	-
intel	system_studio	-
siemens	sppa-t3000_ses3000_firmware	*
siemens	captial	𝑥 < 2019.1
siemens	captial	2019.1
siemens	captial	2019.1:sp1912
siemens	comos	*
siemens	desigo_cc_advanced_reports	4.0
siemens	desigo_cc_advanced_reports	4.1
siemens	desigo_cc_advanced_reports	4.2
siemens	desigo_cc_advanced_reports	5.0
siemens	desigo_cc_advanced_reports	5.1
siemens	desigo_cc_info_center	5.0
siemens	desigo_cc_info_center	5.1
siemens	e-car_operation_center	𝑥 < 2021-12-13
siemens	energy_engage	3.1
siemens	energyip	8.5
siemens	energyip	8.6
siemens	energyip	8.7
siemens	energyip	9.0
siemens	energyip_prepay	3.7
siemens	energyip_prepay	3.8
siemens	gma-manager	𝑥 < 8.6.2j-398
siemens	head-end_system_universal_device_integration_system	*
siemens	industrial_edge_management	*
siemens	industrial_edge_management_hub	𝑥 < 2021-12-13
siemens	logo\!_soft_comfort	*
siemens	mendix	*
siemens	mindsphere	𝑥 < 2021-12-11
siemens	navigator	𝑥 < 2021-12-13
siemens	nx	*
siemens	opcenter_intelligence	𝑥 ≤ 3.2
siemens	operation_scheduler	𝑥 ≤ 1.1.3
siemens	sentron_powermanager	4.1
siemens	sentron_powermanager	4.2
siemens	siguard_dsa	4.2
siemens	siguard_dsa	4.3
siemens	siguard_dsa	4.4
siemens	sipass_integrated	2.80
siemens	sipass_integrated	2.85
siemens	siveillance_command	𝑥 ≤ 4.16.2.1
siemens	siveillance_control_pro	*
siemens	siveillance_identity	1.5
siemens	siveillance_identity	1.6
siemens	siveillance_vantage	*
siemens	siveillance_viewpoint	*
siemens	solid_edge_cam_pro	*
siemens	solid_edge_harness_design	𝑥 < 2020
siemens	spectrum_power_4	𝑥 < 4.70
siemens	spectrum_power_4	4.70
siemens	spectrum_power_4	4.70:sp7
siemens	spectrum_power_4	4.70:sp8
siemens	spectrum_power_7	𝑥 < 2.30
siemens	spectrum_power_7	2.30
siemens	spectrum_power_7	2.30
siemens	spectrum_power_7	2.30:sp2
siemens	teamcenter	*
siemens	tracealertserverplus	*
siemens	vesys	𝑥 < 2019.1
siemens	vesys	2019.1
siemens	vesys	2019.1
siemens	vesys	2019.1:sp1912
siemens	xpedition_enterprise	-
siemens	xpedition_package_integrator	-
debian	debian_linux	10.0
debian	debian_linux	11.0
sonicwall	email_security	𝑥 < 10.0.12
siemens	6bk1602-0aa12-0tp0_firmware	𝑥 < 2.7.0
siemens	6bk1602-0aa22-0tp0_firmware	𝑥 < 2.7.0
siemens	6bk1602-0aa32-0tp0_firmware	𝑥 < 2.7.0
siemens	6bk1602-0aa42-0tp0_firmware	𝑥 < 2.7.0
siemens	6bk1602-0aa52-0tp0_firmware	𝑥 < 2.7.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

apache-log4j2

bullseye	2.17.1-1~deb11u1 fixed
stretch	not-affected
bullseye (security)	2.17.0-1~deb11u1 fixed
sid	2.19.0-2 fixed
trixie	2.19.0-2 fixed
bookworm	2.19.0-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

apache-log4j2

jammy	not-affected
impish	Fixed 2.16.0-0.21.10.1 released
hirsute	Fixed 2.16.0-0.21.04.1 released
focal	Fixed 2.16.0-0.20.04.1 released
bionic	not-affected
xenial	not-affected
trusty	dne