CVE-2021-45046: Incomplete fix for Apache Log4j vulnerability
(updated )
The fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.
References
- cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
- cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
- cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
- cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
- github.com/advisories/GHSA-7rjr-3q55-vv33
- github.com/advisories/GHSA-jfh8-c2jp-5v3q
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ
- logging.apache.org/log4j/2.x/security.html
- nvd.nist.gov/vuln/detail/CVE-2021-45046
- psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
- sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- security.gentoo.org/glsa/202310-16
- www.cve.org/CVERecord?id=CVE-2021-44228
- www.debian.org/security/2021/dsa-5022
- www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
- www.kb.cert.org/vuls/id/930724
- www.openwall.com/lists/oss-security/2021/12/14/4
- www.oracle.com/security-alerts/alert-cve-2021-44228.html
- www.oracle.com/security-alerts/cpuapr2022.html
- www.oracle.com/security-alerts/cpujan2022.html
- www.oracle.com/security-alerts/cpujul2022.html
Code Behaviors & Features
Detect and mitigate CVE-2021-45046 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →