← back
CVE-2021-45046

Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

CVSS 9 CRITICALEPSS 100.0%● KEVCWE-917
In short

Apache Log4j2 versions 2.15.0 have an incomplete fix that allows attackers to exploit Thread Context data in non-default logging configurations to leak information or execute malicious code. This affects systems using specific logging patterns that weren't properly secured in the initial patch.

Technical detail

CVE-2021-45046 is a follow-up to CVE-2021-44228 affecting Log4j 2.15.0 when non-default Pattern Layouts include Context Lookup or Thread Context Map patterns (e.g., ${ctx:*} or %X). Attackers with control over MDC input can inject JNDI Lookup patterns to achieve remote code execution (RCE) in certain environments or local code execution universally. The vulnerability requires logging configuration with specific pattern components and is mitigated in Log4j 2.16.0+ and 2.12.2+ by disabling JNDI by default and removing message lookup support.

Summary generated and translated by AI from the official description.
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache Log4j
public PoCs found11
githubgithub.com/lijiejie/log4j2_vul_local_scanner85githubgithub.com/cckuailong/Log4j_CVE-2021-4504621githubgithub.com/mergebase/log4j-samples14githubgithub.com/ifconfig-me/Log4Shell-Payloads8githubgithub.com/BobTheShoplifter/CVE-2021-45046-Info4githubgithub.com/CaptanMoss/Log4Shell-Sandbox-Signature1githubgithub.com/ludy-dev/cve-2021-450461githubgithub.com/shaily29-eng/CyberSecurity_CVE-2021-450460githubgithub.com/tejas-nagchandi/CVE-2021-450460githubgithub.com/lukepasek/log4jjndilookupremove0githubgithub.com/pravin-pp/log4j2-CVE-2021-450460
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdfhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/https://logging.apache.org/log4j/2.x/security.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032https://security.gentoo.org/glsa/202310-16https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046https://www.cve.org/CVERecord?id=CVE-2021-44228