9
CVE-2021-45046
- EPSS 94.34%
- Veröffentlicht 14.12.2021 19:15:07
- Zuletzt bearbeitet 27.10.2025 17:35:56
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
LoginApache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cvat ≫ Computer Vision Annotation Tool Version-
Intel ≫ Audio Development Kit Version-
Intel ≫ Datacenter Manager Version-
Intel ≫ Genomics Kernel Library Version-
Intel ≫ Secure Device Onboard Version-
Intel ≫ Sensor Solution Firmware Development Kit Version-
Intel ≫ System Debugger Version-
Intel ≫ System Studio Version-
Siemens ≫ Desigo Cc Advanced Reports Version4.0
Siemens ≫ Desigo Cc Advanced Reports Version4.1
Siemens ≫ Desigo Cc Advanced Reports Version4.2
Siemens ≫ Desigo Cc Advanced Reports Version5.0
Siemens ≫ Desigo Cc Advanced Reports Version5.1
Siemens ≫ Desigo Cc Info Center Version5.0
Siemens ≫ Desigo Cc Info Center Version5.1
Siemens ≫ E-car Operation Center Version < 2021-12-13
Siemens ≫ Energy Engage Version3.1
Siemens ≫ Energyip Prepay Version3.7
Siemens ≫ Energyip Prepay Version3.8
Siemens ≫ Gma-manager Version < 8.6.2j-398
Siemens ≫ Industrial Edge Management Hub Version < 2021-12-13
Siemens ≫ Mindsphere Version < 2021-12-11
Siemens ≫ Opcenter Intelligence Version <= 3.2
Siemens ≫ Operation Scheduler Version <= 1.1.3
Siemens ≫ Sentron Powermanager Version4.1
Siemens ≫ Sentron Powermanager Version4.2
Siemens ≫ Siguard Dsa Version4.2
Siemens ≫ Siguard Dsa Version4.3
Siemens ≫ Siguard Dsa Version4.4
Siemens ≫ Sipass Integrated Version2.80
Siemens ≫ Sipass Integrated Version2.85
Siemens ≫ Siveillance Command Version <= 4.16.2.1
Siemens ≫ Siveillance Identity Version1.5
Siemens ≫ Siveillance Identity Version1.6
Siemens ≫ Solid Edge Harness Design Version < 2020
Siemens ≫ Solid Edge Harness Design Version2020
Siemens ≫ Solid Edge Harness Design Version2020 Update-
Siemens ≫ Solid Edge Harness Design Version2020 Updatesp2002
Siemens ≫ Spectrum Power 4 Version < 4.70
Siemens ≫ Spectrum Power 4 Version4.70 Update-
Siemens ≫ Spectrum Power 4 Version4.70 Updatesp7
Siemens ≫ Spectrum Power 4 Version4.70 Updatesp8
Siemens ≫ Spectrum Power 7 Version < 2.30
Siemens ≫ Spectrum Power 7 Version2.30
Siemens ≫ Spectrum Power 7 Version2.30 Update-
Siemens ≫ Spectrum Power 7 Version2.30 Updatesp2
Siemens ≫ Xpedition Enterprise Version-
Siemens ≫ Xpedition Package Integrator Version-
Debian ≫ Debian Linux Version10.0
Debian ≫ Debian Linux Version11.0
Sonicwall ≫ Email Security Version < 10.0.12
Fedoraproject ≫ Fedora Version34
Fedoraproject ≫ Fedora Version35
Siemens ≫ 6bk1602-0aa12-0tp0 Firmware Version < 2.7.0
Siemens ≫ 6bk1602-0aa22-0tp0 Firmware Version < 2.7.0
Siemens ≫ 6bk1602-0aa32-0tp0 Firmware Version < 2.7.0
Siemens ≫ 6bk1602-0aa42-0tp0 Firmware Version < 2.7.0
Siemens ≫ 6bk1602-0aa52-0tp0 Firmware Version < 2.7.0
01.05.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog
Apache Log4j2 Deserialization of Untrusted Data Vulnerability
SchwachstelleApache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.34% | 0.999 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9 | 2.2 | 6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
|
| nvd@nist.gov | 5.1 | 4.9 | 6.4 |
AV:N/AC:H/Au:N/C:P/I:P/A:P
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9 | 2.2 | 6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.