CVE-2021-45046 - OpenCVE

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:H/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Log4j
Debian	Debian Linux
Fedoraproject	Fedora
Intel	Audio Development Kit Computer Vision Annotation Tool Datacenter Manager Genomics Kernel Library Oneapi Secure Device Onboard Sensor Solution Firmware Development Kit System Debugger System Studio
Redhat	Amq Streams Camel Quarkus Integration Jboss Data Grid Jboss Enterprise Application Platform Jboss Fuse Logging Openshift Openshift Application Runtimes
Siemens	6bk1602-0aa12-0tp0 6bk1602-0aa12-0tp0 Firmware 6bk1602-0aa22-0tp0 6bk1602-0aa22-0tp0 Firmware 6bk1602-0aa32-0tp0 6bk1602-0aa32-0tp0 Firmware 6bk1602-0aa42-0tp0 6bk1602-0aa42-0tp0 Firmware 6bk1602-0aa52-0tp0 6bk1602-0aa52-0tp0 Firmware Captial Comos Desigo Cc Advanced Reports Desigo Cc Info Center E-car Operation Center Energy Engage Energyip Energyip Prepay Gma-manager Head-end System Universal Device Integration System Industrial Edge Management Industrial Edge Management Hub Logo\! Soft Comfort Mendix Mindsphere Navigator Nx Opcenter Intelligence Operation Scheduler Sentron Powermanager Siguard Dsa Sipass Integrated Siveillance Command Siveillance Control Pro Siveillance Identity Siveillance Vantage Siveillance Viewpoint Solid Edge Cam Pro Solid Edge Harness Design Spectrum Power 4 Spectrum Power 7 Sppa-t3000 Ses3000 Sppa-t3000 Ses3000 Firmware Teamcenter Tracealertserverplus Vesys Xpedition Enterprise Xpedition Package Integrator
Sonicwall	Email Security

Configuration 1 [-]

OR	cpe:2.3:a:apache:log4j::::::::
	cpe:2.3:a:apache:log4j::::::::
	cpe:2.3:a:apache:log4j:2.0:-::::::
	cpe:2.3:a:apache:log4j:2.0:beta9::::::
	cpe:2.3:a:apache:log4j:2.0:rc1::::::
	cpe:2.3:a:apache:log4j:2.0:rc2::::::

Configuration 2 [-]

OR	cpe:2.3:a:intel:audio_development_kit:-:::::::*
	cpe:2.3:a:intel:computer_vision_annotation_tool:-:::::::*
	cpe:2.3:a:intel:datacenter_manager:-:::::::*
	cpe:2.3:a:intel:genomics_kernel_library:-:::::::*
	cpe:2.3:a:intel:oneapi:-:::::eclipse::
	cpe:2.3:a:intel:secure_device_onboard:-:::::::*
	cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:::::::*
	cpe:2.3:a:intel:system_debugger:-:::::::*
	cpe:2.3:a:intel:system_studio:-:::::::*

Configuration 3 [-]

AND

cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:sppa-t3000_ses3000:-:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:a:siemens:captial::::::::
	cpe:2.3:a:siemens:captial:2019.1:-::::::
	cpe:2.3:a:siemens:captial:2019.1:sp1912::::::
	cpe:2.3:a:siemens:comos::::::::
	cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:::::::*
	cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:::::::*
	cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.2:::::::*
	cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.0:::::::*
	cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.1:::::::*
	cpe:2.3:a:siemens:desigo_cc_info_center:5.0:::::::*
	cpe:2.3:a:siemens:desigo_cc_info_center:5.1:::::::*
	cpe:2.3:a:siemens:e-car_operation_center::::::::
	cpe:2.3:a:siemens:energy_engage:3.1:::::::*
	cpe:2.3:a:siemens:energyip:8.5:::::::*
	cpe:2.3:a:siemens:energyip:8.6:::::::*
	cpe:2.3:a:siemens:energyip:8.7:::::::*
	cpe:2.3:a:siemens:energyip:9.0:::::::*
	cpe:2.3:a:siemens:energyip_prepay:3.7:::::::*
	cpe:2.3:a:siemens:energyip_prepay:3.8:::::::*
	cpe:2.3:a:siemens:gma-manager::::::::
	cpe:2.3:a:siemens:head-end_system_universal_device_integration_system::::::::
	cpe:2.3:a:siemens:industrial_edge_management::::::::
	cpe:2.3:a:siemens:industrial_edge_management_hub::::::::
	cpe:2.3:a:siemens:logo\!_soft_comfort::::::::
	cpe:2.3:a:siemens:mendix::::::::
	cpe:2.3:a:siemens:mindsphere::::::::
	cpe:2.3:a:siemens:navigator::::::::
	cpe:2.3:a:siemens:nx::::::::
	cpe:2.3:a:siemens:opcenter_intelligence::::::::
	cpe:2.3:a:siemens:operation_scheduler::::::::
	cpe:2.3:a:siemens:sentron_powermanager:4.1:::::::*
	cpe:2.3:a:siemens:sentron_powermanager:4.2:::::::*
	cpe:2.3:a:siemens:siguard_dsa:4.2:::::::*
	cpe:2.3:a:siemens:siguard_dsa:4.3:::::::*
	cpe:2.3:a:siemens:siguard_dsa:4.4:::::::*
	cpe:2.3:a:siemens:sipass_integrated:2.80:::::::*
	cpe:2.3:a:siemens:sipass_integrated:2.85:::::::*
	cpe:2.3:a:siemens:siveillance_command::::::::
	cpe:2.3:a:siemens:siveillance_control_pro::::::::
	cpe:2.3:a:siemens:siveillance_identity:1.5:::::::*
	cpe:2.3:a:siemens:siveillance_identity:1.6:::::::*
	cpe:2.3:a:siemens:siveillance_vantage::::::::
	cpe:2.3:a:siemens:siveillance_viewpoint::::::::
	cpe:2.3:a:siemens:solid_edge_cam_pro::::::::
	cpe:2.3:a:siemens:solid_edge_harness_design::::::::
	cpe:2.3:a:siemens:solid_edge_harness_design:2020:::::::*
	cpe:2.3:a:siemens:solid_edge_harness_design:2020:-::::::
	cpe:2.3:a:siemens:solid_edge_harness_design:2020:sp2002::::::
	cpe:2.3:a:siemens:spectrum_power_4::::::::
	cpe:2.3:a:siemens:spectrum_power_4:4.70:-::::::
	cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7::::::
	cpe:2.3:a:siemens:spectrum_power_4:4.70:sp8::::::
	cpe:2.3:a:siemens:spectrum_power_7::::::::
	cpe:2.3:a:siemens:spectrum_power_7:2.30:::::::*
	cpe:2.3:a:siemens:spectrum_power_7:2.30:-::::::
	cpe:2.3:a:siemens:spectrum_power_7:2.30:sp2::::::
	cpe:2.3:a:siemens:teamcenter::::::::
	cpe:2.3:a:siemens:tracealertserverplus::::::::
	cpe:2.3:a:siemens:vesys::::::::
	cpe:2.3:a:siemens:vesys:2019.1:::::::*
	cpe:2.3:a:siemens:vesys:2019.1:-::::::
	cpe:2.3:a:siemens:vesys:2019.1:sp1912::::::
	cpe:2.3:a:siemens:xpedition_enterprise:-:::::::*
	cpe:2.3:a:siemens:xpedition_package_integrator:-:::::::*

Configuration 5 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 6 [-]

cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:*

Configuration 7 [-]

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 8 [-]

AND

cpe:2.3:h:siemens:6bk1602-0aa12-0tp0:-:*:*:*:*:*:*:*

cpe:2.3:o:siemens:6bk1602-0aa12-0tp0_firmware:*:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:h:siemens:6bk1602-0aa22-0tp0:-:*:*:*:*:*:*:*

cpe:2.3:o:siemens:6bk1602-0aa22-0tp0_firmware:*:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:h:siemens:6bk1602-0aa32-0tp0:-:*:*:*:*:*:*:*

cpe:2.3:o:siemens:6bk1602-0aa32-0tp0_firmware:*:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:h:siemens:6bk1602-0aa42-0tp0:-:*:*:*:*:*:*:*

cpe:2.3:o:siemens:6bk1602-0aa42-0tp0_firmware:*:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:h:siemens:6bk1602-0aa52-0tp0:-:*:*:*:*:*:*:*

cpe:2.3:o:siemens:6bk1602-0aa52-0tp0_firmware:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
EAP 7.4.4 release
log4j-core	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2022:1299	2022-04-11T00:00:00Z
EAP 7.4 log4j async
log4j-core	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2022:0216	2022-01-20T00:00:00Z
OpenShift Logging 5.0
openshift-logging/elasticsearch6-rhel8:v5.0.10-1	cpe:/a:redhat:logging:5.0::el8	RHSA-2021:5137	2021-12-14T00:00:00Z
OpenShift Logging 5.1
openshift-logging/elasticsearch6-rhel8:v6.8.1-67	cpe:/a:redhat:logging:5.1::el8	RHSA-2021:5128	2021-12-14T00:00:00Z
OpenShift Logging 5.2
openshift-logging/elasticsearch6-rhel8:v6.8.1-66	cpe:/a:redhat:logging:5.2::el8	RHSA-2021:5127	2021-12-14T00:00:00Z
OpenShift Logging 5.3
openshift-logging/elasticsearch6-rhel8:v6.8.1-65	cpe:/a:redhat:logging:5.3::el8	RHSA-2021:5129	2021-12-14T00:00:00Z
Red Hat AMQ Streams 2.0.0
	cpe:/a:redhat:amq_streams:2	RHSA-2022:0138	2022-01-13T00:00:00Z
Red Hat Data Grid 8.2.3
log4j-core	cpe:/a:redhat:jboss_data_grid:8.2	RHSA-2022:0205	2022-01-20T00:00:00Z
Red Hat Fuse 7.8.2, 7.9.1, 7.10.1
log4j-core	cpe:/a:redhat:jboss_fuse:7	RHSA-2022:0203	2022-01-20T00:00:00Z
Red Hat Integration Camel Extensions for Quarkus 2.2
log4j-core	cpe:/a:redhat:camel_quarkus:2.2	RHSA-2022:0222	2022-01-20T00:00:00Z
Red Hat Integration Camel-K 1.6.3
log4j-core	cpe:/a:redhat:integration:1	RHSA-2022:0223	2022-01-20T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2022:1297	2022-04-11T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2022:1296	2022-04-11T00:00:00Z
Red Hat OpenShift Container Platform 3.11
openshift3/ose-logging-elasticsearch5:v3.11.570-2.gd119820	cpe:/a:redhat:openshift:3.11::el7	RHSA-2021:5094	2021-12-14T00:00:00Z
Red Hat OpenShift Container Platform 4.6
openshift4/ose-logging-elasticsearch6:v4.6.0-202112132021.p0.g2a13a81.assembly.stream	cpe:/a:redhat:openshift:4.6::el8	RHSA-2021:5106	2021-12-16T00:00:00Z
openshift4/ose-metering-hive:v4.6.0-202112140546.p0.g8b9da97.assembly.stream	cpe:/a:redhat:openshift:4.6::el8	RHSA-2021:5106	2021-12-16T00:00:00Z
openshift4/ose-metering-presto:v4.6.0-202112150545.p0.g190688a.assembly.art3595	cpe:/a:redhat:openshift:4.6::el8	RHSA-2021:5141	2021-12-16T00:00:00Z
Red Hat OpenShift Container Platform 4.7
openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream	cpe:/a:redhat:openshift:4.7::el8	RHSA-2021:5107	2021-12-16T00:00:00Z
openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40	cpe:/a:redhat:openshift:4.7::el8	RHSA-2021:5107	2021-12-16T00:00:00Z
Red Hat OpenShift Container Platform 4.8
openshift4/ose-metering-hive:v4.8.0-202112132154.p0.g57dd03a.assembly.stream	cpe:/a:redhat:openshift:4.8::el8	RHSA-2021:5108	2021-12-14T00:00:00Z
openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599	cpe:/a:redhat:openshift:4.8::el8	RHSA-2021:5148	2021-12-15T00:00:00Z
Vert.x 4.1.8
log4j-core	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2022:0083	2022-01-20T00:00:00Z

References

Link	Providers
http://www.openwall.com/lists/oss-security/2021/12/14/4
http://www.openwall.com/lists/oss-security/2021/12/15/3
http://www.openwall.com/lists/oss-security/2021/12/18/1
https://access.redhat.com/security/cve/CVE-2021-44228
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/
https://logging.apache.org/log4j/2.x/security.html
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
https://security.gentoo.org/glsa/202310-16
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://www.cve.org/CVERecord?id=CVE-2021-44228
https://www.cve.org/CVERecord?id=CVE-2021-45046
https://www.debian.org/security/2021/dsa-5022
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
https://www.kb.cert.org/vuls/id/930724
https://www.openwall.com/lists/oss-security/2021/12/14/4
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html

History

Wed, 14 Aug 2024 00:45:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2021-12-14T16:55:09

Updated: 2024-08-04T04:32:13.624Z

Reserved: 2021-12-14T00:00:00

Link: CVE-2021-45046

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-12-14T19:15:07.733

Modified: 2024-06-27T19:24:09.027

Link: CVE-2021-45046

Redhat

Severity : Moderate

Publid Date: 2021-12-14T00:00:00Z

Links: CVE-2021-45046 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object