CVE-2021-45046

Warnung

EPSS 94.34%
Veröffentlicht 14.12.2021 19:15:07
Zuletzt bearbeitet 12.03.2025 19:52:00
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Betroffene Produkte Warnungen 2 Metriken 4 CWE 1 Referenzen 24

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Log4j Version >= 2.0.1 < 2.12.2

Apache ≫ Log4j Version >= 2.13.0 < 2.16.0

Apache ≫ Log4j Version2.0 Update-

Apache ≫ Log4j Version2.0 Updatebeta9

Apache ≫ Log4j Version2.0 Updaterc1

Apache ≫ Log4j Version2.0 Updaterc2

Cvat ≫ Computer Vision Annotation Tool Version-

Intel ≫ Audio Development Kit Version-

Intel ≫ Datacenter Manager Version-

Intel ≫ Genomics Kernel Library Version-

Intel ≫ Oneapi Version- SwPlatformeclipse

Intel ≫ Secure Device Onboard Version-

Intel ≫ Sensor Solution Firmware Development Kit Version-

Intel ≫ System Debugger Version-

Intel ≫ System Studio Version-

Siemens ≫ Sppa-t3000 Ses3000 Firmware

Siemens ≫ Sppa-t3000 Ses3000 Version-

Siemens ≫ Captial Version < 2019.1

Siemens ≫ Captial Version2019.1 Update-

Siemens ≫ Captial Version2019.1 Updatesp1912

Siemens ≫ Comos

Siemens ≫ Desigo Cc Advanced Reports Version4.0

Siemens ≫ Desigo Cc Advanced Reports Version4.1

Siemens ≫ Desigo Cc Advanced Reports Version4.2

Siemens ≫ Desigo Cc Advanced Reports Version5.0

Siemens ≫ Desigo Cc Advanced Reports Version5.1

Siemens ≫ Desigo Cc Info Center Version5.0

Siemens ≫ Desigo Cc Info Center Version5.1

Siemens ≫ E-car Operation Center Version < 2021-12-13

Siemens ≫ Energy Engage Version3.1

Siemens ≫ Energyip Version8.5

Siemens ≫ Energyip Version8.6

Siemens ≫ Energyip Version8.7

Siemens ≫ Energyip Version9.0

Siemens ≫ Energyip Prepay Version3.7

Siemens ≫ Energyip Prepay Version3.8

Siemens ≫ Gma-manager Version < 8.6.2j-398

Siemens ≫ Head-end System Universal Device Integration System

Siemens ≫ Industrial Edge Management

Siemens ≫ Industrial Edge Management Hub Version < 2021-12-13

Siemens ≫ Logo! Soft Comfort

Siemens ≫ Mendix

Siemens ≫ Mindsphere Version < 2021-12-11

Siemens ≫ Navigator Version < 2021-12-13

Siemens ≫ Nx

Siemens ≫ Opcenter Intelligence Version <= 3.2

Siemens ≫ Operation Scheduler Version <= 1.1.3

Siemens ≫ Sentron Powermanager Version4.1

Siemens ≫ Sentron Powermanager Version4.2

Siemens ≫ Siguard Dsa Version4.2

Siemens ≫ Siguard Dsa Version4.3

Siemens ≫ Siguard Dsa Version4.4

Siemens ≫ Sipass Integrated Version2.80

Siemens ≫ Sipass Integrated Version2.85

Siemens ≫ Siveillance Command Version <= 4.16.2.1

Siemens ≫ Siveillance Control Pro

Siemens ≫ Siveillance Identity Version1.5

Siemens ≫ Siveillance Identity Version1.6

Siemens ≫ Siveillance Vantage

Siemens ≫ Siveillance Viewpoint

Siemens ≫ Solid Edge Cam Pro

Siemens ≫ Solid Edge Harness Design Version < 2020

Siemens ≫ Solid Edge Harness Design Version2020

Siemens ≫ Solid Edge Harness Design Version2020 Update-

Siemens ≫ Solid Edge Harness Design Version2020 Updatesp2002

Siemens ≫ Spectrum Power 4 Version < 4.70

Siemens ≫ Spectrum Power 4 Version4.70 Update-

Siemens ≫ Spectrum Power 4 Version4.70 Updatesp7

Siemens ≫ Spectrum Power 4 Version4.70 Updatesp8

Siemens ≫ Spectrum Power 7 Version < 2.30

Siemens ≫ Spectrum Power 7 Version2.30

Siemens ≫ Spectrum Power 7 Version2.30 Update-

Siemens ≫ Spectrum Power 7 Version2.30 Updatesp2

Siemens ≫ Teamcenter

Siemens ≫ Tracealertserverplus

Siemens ≫ Vesys Version < 2019.1

Siemens ≫ Vesys Version2019.1

Siemens ≫ Vesys Version2019.1 Update-

Siemens ≫ Vesys Version2019.1 Updatesp1912

Siemens ≫ Xpedition Enterprise Version-

Siemens ≫ Xpedition Package Integrator Version-

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Sonicwall ≫ Email Security Version < 10.0.12

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Siemens ≫ 6bk1602-0aa12-0tp0 Firmware Version < 2.7.0

Siemens ≫ 6bk1602-0aa12-0tp0 Version-

Siemens ≫ 6bk1602-0aa22-0tp0 Firmware Version < 2.7.0

Siemens ≫ 6bk1602-0aa22-0tp0 Version-

Siemens ≫ 6bk1602-0aa32-0tp0 Firmware Version < 2.7.0

Siemens ≫ 6bk1602-0aa32-0tp0 Version-

Siemens ≫ 6bk1602-0aa42-0tp0 Firmware Version < 2.7.0

Siemens ≫ 6bk1602-0aa42-0tp0 Version-

Siemens ≫ 6bk1602-0aa52-0tp0 Firmware Version < 2.7.0

Siemens ≫ 6bk1602-0aa52-0tp0 Version-

01.05.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache Log4j2 Deserialization of Untrusted Data Vulnerability

Schwachstelle

Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

10.12.2021: CERT.at Warnung

https://www.cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-apache-log4j-bibliothek

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.34%	1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9	2.2	6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	5.1	4.9	6.4	AV:N/AC:H/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	9	2.2	6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

https://www.oracle.com/security-alerts/cpuapr2022.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Third Party Advisory

http://www.openwall.com/lists/oss-security/2021/12/14/4

Third Party Advisory

Mailing List

Mitigation

http://www.openwall.com/lists/oss-security/2021/12/15/3