CVE-2021-45046

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-45046.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-45046
Aliases
Related
Published
2021-12-14T19:15:07Z
Modified
2024-11-02T00:50:24.458434Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

References

Affected packages

Debian:11 / apache-log4j2

Package

Name
apache-log4j2
Purl
pkg:deb/debian/apache-log4j2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.16.0-1~deb11u1

Affected versions

2.*

2.13.3-1
2.15.0-1~deb10u1
2.15.0-1~deb11u1
2.15.0-1
2.16.0-1~deb10u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / apache-log4j2

Package

Name
apache-log4j2
Purl
pkg:deb/debian/apache-log4j2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.16.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / apache-log4j2

Package

Name
apache-log4j2
Purl
pkg:deb/debian/apache-log4j2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.16.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/apache/logging-log4j2

Affected ranges

Type
GIT
Repo
https://github.com/apache/logging-log4j2
Events
Type
GIT
Repo
https://github.com/cvat-ai/cvat
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.1.0
0.1.1
0.1.2
0.2.0

v0.*

v0.3.0
v0.4.0
v0.4.1
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v0.6.1

v1.*

v1.0.0
v1.0.0-alpha
v1.0.0-beta.1
v1.0.0-beta.2
v1.1.0
v1.1.0-alpha
v1.1.0-beta
v1.2.0
v1.2.0-beta
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.7.0

v2.*

v2.0.0
v2.0.0-alpha
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.2