Home

CVE-2021-45046

Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Risk Information

Base Score
9.0
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score
Exploitation Probability
94.34

Associated Vulnerability

VulnerabilityOS Platform
Apache Log4j Vulnerability (CVE-2021-45046)Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.0.13Windows
Vulnerabilities CVE-2021-45046 are fixed in Apache - Log4j Core 2.16.0Windows
Vulnerabilities CVE-2021-45046,CVE-2021-44228 are fixed in Apache - Log4j Core 2.12.2Windows
Multiple Vulnerabilities are affected in IBM Tivoli Monitoring 6.3.0Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 10.5Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 10.6Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.1Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.2Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.2Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.3Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.4Windows
Vulnerabilities CVE-2021-44228,CVE-2021-45046 are affected in Siemens Mendix 2.3Windows
Vulnerabilities CVE-2021-44228,CVE-2021-45046 are affected in Siemens Teamcenter 2.3Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.0Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.1.0Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.10.4Windows
Multiple Vulnerabilities are affected in IBM MQ 9.1Windows
Multiple Vulnerabilities are affected in IBM MQ 9.2Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 21.0Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 11.0.0.15Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.3.0Windows
Vulnerabilities CVE-2021-45105,CVE-2021-44832,CVE-2021-45046,CVE-2021-44228 are fixed in Ops4j - pax-logging-log4j2 1.9.2Windows
Vulnerabilities CVE-2021-45046,CVE-2021-44228 are fixed in Ops4j - pax-logging-log4j2 1.10.8Windows
Vulnerabilities CVE-2021-45046 are fixed in Ops4j - pax-logging-log4j2 1.11.11Windows
Vulnerabilities CVE-2021-45046 are fixed in Ops4j - pax-logging-log4j2 2.0.12Windows
Vulnerabilities CVE-2021-45046 are fixed in Apache - Log4j Core for Linux 2.16.0Linux
Vulnerabilities CVE-2021-45046,CVE-2021-44228 are fixed in Apache - Log4j Core for Linux 2.12.2Linux
Vulnerabilities CVE-2021-45105,CVE-2021-44832,CVE-2021-45046,CVE-2021-44228 are fixed in Ops4j - pax-logging-log4j2 for Linux 1.9.2Linux
Vulnerabilities CVE-2021-45046,CVE-2021-44228 are fixed in Ops4j - pax-logging-log4j2 for Linux 1.10.8Linux
Vulnerabilities CVE-2021-45046 are fixed in Ops4j - pax-logging-log4j2 for Linux 1.11.11Linux
Vulnerabilities CVE-2021-45046 are fixed in Ops4j - pax-logging-log4j2 for Linux 2.0.12Linux
Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection) Vulnerability (CVE-2021-45046)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234