CVE-2021-45046
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Description
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Analysis
Apache Log4j2 contains an incomplete fix for Log4Shell (CVE-2021-44228) that allows attackers to bypass the initial patch through Thread Context Map (MDC) input data in non-default configurations, enabling RCE and DoS.
Technical Context
The CWE-917 OGNL/EL injection bypass works when logging configurations use Context Lookup patterns (${ctx:loginId}) or Thread Context Map patterns in their Pattern Layout. In these configurations, Log4j 2.15.0's restrictions on JNDI lookups can be circumvented through MDC-injected data.
Affected Products
['Apache Log4j2 2.15.0 (with non-default Pattern Layout using Context Lookup)']
Remediation
Update to Log4j 2.17.1+ (the fully patched version). Log4j 2.16.0 disabled JNDI by default but had additional issues. Only 2.17.1+ is considered fully secure.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today