Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Published

2021-12-14T19:15:07.733

Last Modified

2025-03-12T19:52:00.270

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.0 (CRITICAL)

CVSSv2 Vector

AV:N/AC:H/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: HIGH
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

4.9

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-917
Type: Primary
CWE-917

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	log4j	< 2.12.2	Yes
Application	apache	log4j	< 2.16.0	Yes
Application	apache	log4j	2.0	Yes
Application	apache	log4j	2.0	Yes
Application	apache	log4j	2.0	Yes
Application	apache	log4j	2.0	Yes
Application	cvat	computer_vision_annotation_tool	-	Yes
Application	intel	audio_development_kit	-	Yes
Application	intel	datacenter_manager	-	Yes
Application	intel	genomics_kernel_library	-	Yes
Application	intel	oneapi	-	Yes
Application	intel	secure_device_onboard	-	Yes
Application	intel	sensor_solution_firmware_development_kit	-	Yes
Application	intel	system_debugger	-	Yes
Application	intel	system_studio	-	Yes
Operating System	siemens	sppa-t3000_ses3000_firmware	*	Yes
Hardware	siemens	sppa-t3000_ses3000	-	No
Application	siemens	captial	< 2019.1	Yes
Application	siemens	captial	2019.1	Yes
Application	siemens	captial	2019.1	Yes
Application	siemens	comos	*	Yes
Application	siemens	desigo_cc_advanced_reports	4.0	Yes
Application	siemens	desigo_cc_advanced_reports	4.1	Yes
Application	siemens	desigo_cc_advanced_reports	4.2	Yes
Application	siemens	desigo_cc_advanced_reports	5.0	Yes
Application	siemens	desigo_cc_advanced_reports	5.1	Yes
Application	siemens	desigo_cc_info_center	5.0	Yes
Application	siemens	desigo_cc_info_center	5.1	Yes
Application	siemens	e-car_operation_center	< 2021-12-13	Yes
Application	siemens	energy_engage	3.1	Yes
Application	siemens	energyip	8.5	Yes
Application	siemens	energyip	8.6	Yes
Application	siemens	energyip	8.7	Yes
Application	siemens	energyip	9.0	Yes
Application	siemens	energyip_prepay	3.7	Yes
Application	siemens	energyip_prepay	3.8	Yes
Application	siemens	gma-manager	< 8.6.2j-398	Yes
Application	siemens	head-end_system_universal_device_integration_system	*	Yes
Application	siemens	industrial_edge_management	*	Yes
Application	siemens	industrial_edge_management_hub	< 2021-12-13	Yes
Application	siemens	logo\!_soft_comfort	*	Yes
Application	siemens	mendix	*	Yes
Application	siemens	mindsphere	< 2021-12-11	Yes
Application	siemens	navigator	< 2021-12-13	Yes
Application	siemens	nx	*	Yes
Application	siemens	opcenter_intelligence	≤ 3.2	Yes
Application	siemens	operation_scheduler	≤ 1.1.3	Yes
Application	siemens	sentron_powermanager	4.1	Yes
Application	siemens	sentron_powermanager	4.2	Yes
Application	siemens	siguard_dsa	4.2	Yes
Application	siemens	siguard_dsa	4.3	Yes
Application	siemens	siguard_dsa	4.4	Yes
Application	siemens	sipass_integrated	2.80	Yes
Application	siemens	sipass_integrated	2.85	Yes
Application	siemens	siveillance_command	≤ 4.16.2.1	Yes
Application	siemens	siveillance_control_pro	*	Yes
Application	siemens	siveillance_identity	1.5	Yes
Application	siemens	siveillance_identity	1.6	Yes
Application	siemens	siveillance_vantage	*	Yes
Application	siemens	siveillance_viewpoint	*	Yes
Application	siemens	solid_edge_cam_pro	*	Yes
Application	siemens	solid_edge_harness_design	< 2020	Yes
Application	siemens	solid_edge_harness_design	2020	Yes
Application	siemens	solid_edge_harness_design	2020	Yes
Application	siemens	solid_edge_harness_design	2020	Yes
Application	siemens	spectrum_power_4	< 4.70	Yes
Application	siemens	spectrum_power_4	4.70	Yes
Application	siemens	spectrum_power_4	4.70	Yes
Application	siemens	spectrum_power_4	4.70	Yes
Application	siemens	spectrum_power_7	< 2.30	Yes
Application	siemens	spectrum_power_7	2.30	Yes
Application	siemens	spectrum_power_7	2.30	Yes
Application	siemens	spectrum_power_7	2.30	Yes
Application	siemens	teamcenter	*	Yes
Application	siemens	tracealertserverplus	*	Yes
Application	siemens	vesys	< 2019.1	Yes
Application	siemens	vesys	2019.1	Yes
Application	siemens	vesys	2019.1	Yes
Application	siemens	vesys	2019.1	Yes
Application	siemens	xpedition_enterprise	-	Yes
Application	siemens	xpedition_package_integrator	-	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes
Application	sonicwall	email_security	< 10.0.12	Yes
Operating System	fedoraproject	fedora	34	Yes
Operating System	fedoraproject	fedora	35	Yes
Hardware	siemens	6bk1602-0aa12-0tp0	-	No
Operating System	siemens	6bk1602-0aa12-0tp0_firmware	< 2.7.0	Yes
Hardware	siemens	6bk1602-0aa22-0tp0	-	No
Operating System	siemens	6bk1602-0aa22-0tp0_firmware	< 2.7.0	Yes
Hardware	siemens	6bk1602-0aa32-0tp0	-	No
Operating System	siemens	6bk1602-0aa32-0tp0_firmware	< 2.7.0	Yes
Hardware	siemens	6bk1602-0aa42-0tp0	-	No
Operating System	siemens	6bk1602-0aa42-0tp0_firmware	< 2.7.0	Yes
Hardware	siemens	6bk1602-0aa52-0tp0	-	No
Operating System	siemens	6bk1602-0aa52-0tp0_firmware	< 2.7.0	Yes

References

http://www.openwall.com/lists/oss-security/2021/12/14/4 Mailing List, Mitigation, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2021/12/15/3 Mailing List, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2021/12/18/1 Mailing List, Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/ Mailing List, Release Notes ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/ Mailing List, Release Notes ([email protected])
https://logging.apache.org/log4j/2.x/security.html Mitigation, Release Notes, Vendor Advisory ([email protected])
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202310-16 Third Party Advisory ([email protected])
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd Third Party Advisory ([email protected])
https://www.cve.org/CVERecord?id=CVE-2021-44228 Not Applicable ([email protected])
https://www.debian.org/security/2021/dsa-5022 Third Party Advisory ([email protected])
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html Third Party Advisory ([email protected])
https://www.kb.cert.org/vuls/id/930724 Third Party Advisory, US Government Resource ([email protected])
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2021/12/14/4 Mailing List, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2021/12/15/3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2021/12/18/1 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/ Mailing List, Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/ Mailing List, Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://logging.apache.org/log4j/2.x/security.html Mitigation, Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202310-16 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.cve.org/CVERecord?id=CVE-2021-44228 Not Applicable (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-5022 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.kb.cert.org/vuls/id/930724 Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)