CVE-2021-45046: Apache Log4j Remote Code Execution Vulnerability Alert

CVE-2021-45046

Apache Log4j’s imperfect repair measures for CVE-2021-44228 in non-default configurations can be exploited by attackers to cause remote code execution attacks in certain special configuration scenarios.

CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

This is another remote code execution vulnerability (CVE-2021-45046) officially disclosed by Apache Log4j recently after a serious code execution vulnerability (CVE-2021-44228) was exposed on December 9, 2021. The vulnerability risk score has risen from the initial CVSS 3.7 points to CVSS 9.0 points, from low risk to “high risk”.

Affected version

  • All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2

Unaffected version

  • Java 8 (or later) users should upgrade to release 2.16.0.
  • Java 7 users should upgrade to release 2.12.2.

Solution

We recommend the user upgrade to the unaffected version as soon as possible. Otherwise, in any release other than 2.16.0, you may remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Users are advised not to enable JNDI in Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-45046