Vulnerability CVE-2021-45046: Information

Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Severity: CRITICAL (9.0) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Published: Dec. 14, 2021

Modified: Oct. 26, 2023

Error type identifier: CWE-917

References to Advisories, Solutions, and Tools

Hyperlink	Resource
[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack	Mailing List Mitigation Third Party Advisory
https://logging.apache.org/log4j/2.x/security.html	Mitigation Release Notes Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2021-44228	Not Applicable
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html	Third Party Advisory
20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021	Third Party Advisory
[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack	Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf	Third Party Advisory
VU#930724	Third Party Advisory US Government Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf	Third Party Advisory
DSA-5022	Third Party Advisory
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html	Third Party Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032	Third Party Advisory
[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack	Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf	Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Third Party Advisory
N/A	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/
https://security.gentoo.org/glsa/202310-16

Affected configurations:
1. Configuration 1
  cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
  cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
  cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
  cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
  cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
  Start including
  2.0.1
  End excliding
  2.12.2
  cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
  Start including
  2.13.0
  End excliding
  2.16.0
  
  Configuration 2
  cpe:2.3:a:intel:oneapi:-:*:*:*:*:eclipse:*:*
  cpe:2.3:a:intel:audio_development_kit:-:*:*:*:*:*:*:*
  cpe:2.3:a:intel:datacenter_manager:-:*:*:*:*:*:*:*
  cpe:2.3:a:intel:system_debugger:-:*:*:*:*:*:*:*
  cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*
  cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:*:*:*:*:*:*:*
  cpe:2.3:a:intel:computer_vision_annotation_tool:-:*:*:*:*:*:*:*
  cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*
  cpe:2.3:a:intel:system_studio:-:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:siemens:sppa-t3000_ses3000:-:*:*:*:*:*:*:*
  
  Configuration 4
  cpe:2.3:a:siemens:logo\!_soft_comfort:*:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7:*:*:*:*:*:*
  cpe:2.3:a:siemens:spectrum_power_4:4.70:-:*:*:*:*:*:*
  cpe:2.3:a:siemens:spectrum_power_4:*:*:*:*:*:*:*:*
  End excliding
  4.70
  cpe:2.3:a:siemens:siveillance_control_pro:*:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:energyip_prepay:3.7:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:energyip_prepay:3.8:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:spectrum_power_4:4.70:sp8:*:*:*:*:*:*
  cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:siveillance_command:*:*:*:*:*:*:*:*
  End including
  4.16.2.1
  cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:head-end_system_universal_device_integration_system:*:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:gma-manager:*:*:*:*:*:*:*:*
  End excliding
  8.6.2j-398
  cpe:2.3:a:siemens:energyip:8.5:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:energyip:8.6:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:energyip:8.7:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:energyip:9.0:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:energy_engage:3.1:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:e-car_operation_center:*:*:*:*:*:*:*:*
  End excliding
  2021-12-13
  cpe:2.3:a:siemens:desigo_cc_info_center:5.0:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:desigo_cc_info_center:5.1:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.2:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.0:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.1:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:comos:*:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:captial:2019.1:sp1912:*:*:*:*:*:*
  cpe:2.3:a:siemens:navigator:*:*:*:*:*:*:*:*
  End excliding
  2021-12-13
  cpe:2.3:a:siemens:xpedition_package_integrator:-:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:xpedition_enterprise:-:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:vesys:2019.1:sp1912:*:*:*:*:*:*
  cpe:2.3:a:siemens:vesys:2019.1:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:vesys:*:*:*:*:*:*:*:*
  End excliding
  2019.1
  cpe:2.3:a:siemens:vesys:2019.1:-:*:*:*:*:*:*
  cpe:2.3:a:siemens:teamcenter:*:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:spectrum_power_7:2.30:sp2:*:*:*:*:*:*
  cpe:2.3:a:siemens:spectrum_power_7:2.30:-:*:*:*:*:*:*
  cpe:2.3:a:siemens:spectrum_power_7:*:*:*:*:*:*:*:*
  End excliding
  2.30
  cpe:2.3:a:siemens:spectrum_power_7:2.30:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:solid_edge_harness_design:2020:sp2002:*:*:*:*:*:*
  cpe:2.3:a:siemens:solid_edge_harness_design:2020:-:*:*:*:*:*:*
  cpe:2.3:a:siemens:solid_edge_harness_design:*:*:*:*:*:*:*:*
  End excliding
  2020
  cpe:2.3:a:siemens:captial:2019.1:-:*:*:*:*:*:*
  cpe:2.3:a:siemens:solid_edge_harness_design:2020:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:solid_edge_cam_pro:*:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:siveillance_viewpoint:*:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:siveillance_vantage:*:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:siguard_dsa:4.3:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:siguard_dsa:4.4:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:siguard_dsa:4.2:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:sentron_powermanager:4.2:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:sentron_powermanager:4.1:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:operation_scheduler:*:*:*:*:*:*:*:*
  End including
  1.1.3
  cpe:2.3:a:siemens:nx:*:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:opcenter_intelligence:*:*:*:*:*:*:*:*
  End including
  3.2
  cpe:2.3:a:siemens:mindsphere:*:*:*:*:*:*:*:*
  End excliding
  2021-12-11
  cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:industrial_edge_management_hub:*:*:*:*:*:*:*:*
  End excliding
  2021-12-13
  cpe:2.3:a:siemens:industrial_edge_management:*:*:*:*:*:*:*:*
  cpe:2.3:a:siemens:captial:*:*:*:*:*:*:*:*
  End excliding
  2019.1
  cpe:2.3:a:siemens:tracealertserverplus:*:*:*:*:*:*:*:*
  
  Configuration 5
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
  
  Configuration 6
  cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:*
  End excliding
  10.0.12
  
  Configuration 7
  cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
  
  Configuration 8
  cpe:2.3:o:siemens:6bk1602-0aa12-0tp0_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:siemens:6bk1602-0aa12-0tp0:-:*:*:*:*:*:*:*
  
  Configuration 9
  cpe:2.3:o:siemens:6bk1602-0aa22-0tp0_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:siemens:6bk1602-0aa22-0tp0:-:*:*:*:*:*:*:*
  
  Configuration 10
  cpe:2.3:o:siemens:6bk1602-0aa32-0tp0_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:siemens:6bk1602-0aa32-0tp0:-:*:*:*:*:*:*:*
  
  Configuration 11
  cpe:2.3:o:siemens:6bk1602-0aa42-0tp0_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:siemens:6bk1602-0aa42-0tp0:-:*:*:*:*:*:*:*
  
  Configuration 12
  cpe:2.3:o:siemens:6bk1602-0aa52-0tp0_firmware:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:h:siemens:6bk1602-0aa52-0tp0:-:*:*:*:*:*:*:*

Version: v24.5.1

Vulnerability CVE-2021-45046: Information

Description

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Configuration 6

Configuration 7

Configuration 8

Configuration 9

Configuration 10

Configuration 11

Configuration 12