{"containers": {"cna": {"affected": [{"product": "Apache Log4j", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.16.0", "status": "affected", "version": "Apache Log4j2", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default."}], "metrics": [{"other": {"content": {"other": "moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-917", "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-10-26T06:06:18.017Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"}, {"name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://logging.apache.org/log4j/2.x/security.html"}, {"name": "VU#930724", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://www.kb.cert.org/vuls/id/930724"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"}, {"name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"}, {"name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"}, {"name": "DSA-5022", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-5022"}, {"name": "[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"}, {"name": "FEDORA-2021-5c9d12a93e", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/"}, {"name": "FEDORA-2021-abbe24e41c", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"url": "https://security.gentoo.org/glsa/202310-16"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-45046", "STATE": "PUBLIC", "TITLE": "Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Log4j", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache Log4j2", "version_value": "2.16.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')"}]}]}, "references": {"reference_data": [{"name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032", "refsource": "CONFIRM", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"}, {"name": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "refsource": "CONFIRM", "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"}, {"name": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "refsource": "MISC", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"}, {"name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"}, {"name": "https://logging.apache.org/log4j/2.x/security.html", "refsource": "CONFIRM", "url": "https://logging.apache.org/log4j/2.x/security.html"}, {"name": "VU#930724", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/930724"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"}, {"name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "refsource": "CONFIRM", "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"}, {"name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"}, {"name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"}, {"name": "DSA-5022", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-5022"}, {"name": "[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"}, {"name": "FEDORA-2021-5c9d12a93e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/"}, {"name": "FEDORA-2021-abbe24e41c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:32:13.624Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"}, {"name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://logging.apache.org/log4j/2.x/security.html"}, {"name": "VU#930724", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "https://www.kb.cert.org/vuls/id/930724"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"}, {"name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"}, {"name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"}, {"name": "DSA-5022", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-5022"}, {"name": "[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"}, {"name": "FEDORA-2021-5c9d12a93e", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/"}, {"name": "FEDORA-2021-abbe24e41c", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"url": "https://security.gentoo.org/glsa/202310-16", "tags": ["x_transferred"]}]}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-45046", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-04T19:31:22.638704Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2023-05-01", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046"}}}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046", "tags": ["government-resource"]}], "timeline": [{"time": "2023-05-01T00:00:00+00:00", "lang": "en", "value": "CVE-2021-45046 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-21T23:25:22.768Z"}}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-45046", "datePublished": "2021-12-14T16:55:09.000Z", "dateReserved": "2021-12-14T00:00:00.000Z", "dateUpdated": "2025-10-21T23:25:22.768Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/12/14/4", "name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://logging.apache.org/log4j/2.x/security.html", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://www.kb.cert.org/vuls/id/930724", "name": "VU#930724", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/12/15/3", "name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://www.debian.org/security/2021/dsa-5022", "name": "DSA-5022", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/12/18/1", "name": "[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/", "name": "FEDORA-2021-5c9d12a93e", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/", "name": "FEDORA-2021-abbe24e41c", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202310-16", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:32:13.624Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-45046", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-04T19:31:22.638704Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2023-05-01", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046"}}}], "timeline": [{"lang": "en", "time": "2023-05-01T00:00:00+00:00", "value": "CVE-2021-45046 added to CISA KEV"}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046", "tags": ["government-resource"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-04T19:31:38.496Z"}}], "cna": {"title": "Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "source": {"discovery": "UNKNOWN"}, "metrics": [{"other": {"type": "unknown", "content": {"other": "moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Log4j", "versions": [{"status": "affected", "version": "Apache Log4j2", "lessThan": "2.16.0", "versionType": "custom"}]}], "references": [{"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "tags": ["x_refsource_MISC"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/12/14/4", "name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://logging.apache.org/log4j/2.x/security.html", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://www.kb.cert.org/vuls/id/930724", "name": "VU#930724", "tags": ["third-party-advisory", "x_refsource_CERT-VN"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "tags": ["vendor-advisory", "x_refsource_CISCO"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/12/15/3", "name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://www.debian.org/security/2021/dsa-5022", "name": "DSA-5022", "tags": ["vendor-advisory", "x_refsource_DEBIAN"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/12/18/1", "name": "[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/", "name": "FEDORA-2021-5c9d12a93e", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/", "name": "FEDORA-2021-abbe24e41c", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["x_refsource_MISC"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_refsource_MISC"]}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["x_refsource_MISC"]}, {"url": "https://security.gentoo.org/glsa/202310-16"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-917", "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-10-26T06:06:18.017Z"}, "x_legacyV4Record": {"impact": [{"other": "moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)"}], "source": {"discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "Apache Log4j2", "version_value": "2.16.0", "version_affected": "<"}]}, "product_name": "Apache Log4j"}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032", "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032", "refsource": "CONFIRM"}, {"url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "name": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "refsource": "CONFIRM"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "name": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "refsource": "MISC"}, {"url": "http://www.openwall.com/lists/oss-security/2021/12/14/4", "name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "refsource": "MLIST"}, {"url": "https://logging.apache.org/log4j/2.x/security.html", "name": "https://logging.apache.org/log4j/2.x/security.html", "refsource": "CONFIRM"}, {"url": "https://www.kb.cert.org/vuls/id/930724", "name": "VU#930724", "refsource": "CERT-VN"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "refsource": "CONFIRM"}, {"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "refsource": "CONFIRM"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "refsource": "CISCO"}, {"url": "http://www.openwall.com/lists/oss-security/2021/12/15/3", "name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "refsource": "MLIST"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "refsource": "CONFIRM"}, {"url": "https://www.debian.org/security/2021/dsa-5022", "name": "DSA-5022", "refsource": "DEBIAN"}, {"url": "http://www.openwall.com/lists/oss-security/2021/12/18/1", "name": "[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "refsource": "MLIST"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "refsource": "CONFIRM"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "refsource": "CONFIRM"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/", "name": "FEDORA-2021-5c9d12a93e", "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/", "name": "FEDORA-2021-abbe24e41c", "refsource": "FEDORA"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-45046", "STATE": "PUBLIC", "TITLE": "Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "ASSIGNER": "security@apache.org"}}}}, "cveMetadata": {"cveId": "CVE-2021-45046", "state": "PUBLISHED", "dateUpdated": "2025-10-21T23:25:22.768Z", "dateReserved": "2021-12-14T00:00:00.000Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2021-12-14T16:55:09.000Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"cisaActionDue": "2023-05-22", "cisaExploitAdd": "2023-05-01", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", "matchCriteriaId": "155A3CFA-903D-4DC9-9A64-C964FAABACC4", "versionEndExcluding": "2.12.2", "versionStartIncluding": "2.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", "matchCriteriaId": "88DD4847-0961-4CC4-90FC-DFCDC235F62F", "versionEndExcluding": "2.16.0", "versionStartIncluding": "2.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*", "matchCriteriaId": "17854E42-7063-4A55-BF2A-4C7074CC2D60", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*", "matchCriteriaId": "53F32FB2-6970-4975-8BD0-EAE12E9AD03A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "B773ED91-1D39-42E6-9C52-D02210DE1A94", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "EF24312D-1A62-482E-8078-7EC24758B710", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cvat:computer_vision_annotation_tool:-:*:*:*:*:*:*:*", "matchCriteriaId": "99BBE644-5421-472E-8595-5279E0CC67B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:intel:audio_development_kit:-:*:*:*:*:*:*:*", "matchCriteriaId": "099344DD-8AEE-49A0-88A8-691A8A1E651F", "vulnerable": true}, {"criteria": "cpe:2.3:a:intel:datacenter_manager:-:*:*:*:*:*:*:*", "matchCriteriaId": "070C1452-C349-4953-A748-3039F2217811", "vulnerable": true}, {"criteria": "cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*", "matchCriteriaId": "18989EBC-E1FB-473B-83E0-48C8896C2E96", "vulnerable": true}, {"criteria": "cpe:2.3:a:intel:oneapi:-:*:*:*:*:eclipse:*:*", "matchCriteriaId": "720D3597-B74B-4540-AD50-80884183D5DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*", "matchCriteriaId": "22BEE177-D117-478C-8EAD-9606DEDF9FD5", "vulnerable": true}, {"criteria": "cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:*:*:*:*:*:*:*", "matchCriteriaId": "F021E2E7-0D8F-4336-82A6-77E521347C4F", "vulnerable": true}, {"criteria": "cpe:2.3:a:intel:system_debugger:-:*:*:*:*:*:*:*", "matchCriteriaId": "1F66B0A2-22C0-41D5-B866-1764DEC12CB2", "vulnerable": true}, {"criteria": "cpe:2.3:a:intel:system_studio:-:*:*:*:*:*:*:*", "matchCriteriaId": "FC619106-991C-413A-809D-C2410EBA4CDB", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8320869-CBF4-4C92-885C-560C09855BFA", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:sppa-t3000_ses3000:-:*:*:*:*:*:*:*", "matchCriteriaId": "755BA221-33DD-40A2-A517-8574D042C261", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:captial:*:*:*:*:*:*:*:*", "matchCriteriaId": "07856DAA-EDB4-4522-BA16-CD302C9E39EF", "versionEndExcluding": "2019.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:captial:2019.1:-:*:*:*:*:*:*", "matchCriteriaId": "F7AD819D-D093-472E-AA47-1A925111E4C8", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:captial:2019.1:sp1912:*:*:*:*:*:*", "matchCriteriaId": "2D07A11A-A3C6-4D44-B2E0-A8358D23947A", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:comos:*:*:*:*:*:*:*:*", "matchCriteriaId": "61597661-A3B0-4A14-AA6B-C911E0063390", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "BB524B33-68E7-46A2-B5CE-BCD9C3194B8B", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "5F852C6D-44A0-4CCE-83C7-4501CAD73F9F", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.2:*:*:*:*:*:*:*", "matchCriteriaId": "AA61161C-C2E7-4852-963E-E2D3DFBFDC7B", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "A76AA04A-BB43-4027-895E-D1EACFCDF41B", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.1:*:*:*:*:*:*:*", "matchCriteriaId": "2A6B60F3-327B-49B7-B5E4-F1C60896C9BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:desigo_cc_info_center:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "4BCF281E-B0A2-49E2-AEF8-8691BDCE08D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:desigo_cc_info_center:5.1:*:*:*:*:*:*:*", "matchCriteriaId": "A87EFCC4-4BC1-4FEA-BAA4-8FF221838EBD", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:e-car_operation_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "B678380B-E95E-4A8B-A49D-D13B62AA454E", "versionEndExcluding": "2021-12-13", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:energy_engage:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "4557476B-0157-44C2-BB50-299E7C7E1E72", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:energyip:8.5:*:*:*:*:*:*:*", "matchCriteriaId": "991B2959-5AA3-4B68-A05A-42D9860FAA9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:energyip:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "7E5948A0-CA31-41DF-85B6-1E6D09E5720B", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:energyip:8.7:*:*:*:*:*:*:*", "matchCriteriaId": "4C08D302-EEAC-45AA-9943-3A5F09E29FAB", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:energyip:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "D53BA68C-B653-4507-9A2F-177CF456960F", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:energyip_prepay:3.7:*:*:*:*:*:*:*", "matchCriteriaId": "1F0C3D5E-579F-42C6-9D8C-37969A1D17D2", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:energyip_prepay:3.8:*:*:*:*:*:*:*", "matchCriteriaId": "2C16C460-9482-4A22-92AC-1AE0E87D7F28", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:gma-manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E180527-5C36-4158-B017-5BEDC0412FD6", "versionEndExcluding": "8.6.2j-398", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:head-end_system_universal_device_integration_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "AFDADA98-1CD0-45DA-9082-BFC383F7DB97", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:industrial_edge_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "E33D707F-100E-4DE7-A05B-42467DE75EAC", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:industrial_edge_management_hub:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD3EAC80-44BE-41D2-8D57-0EE3DBA1E1B1", "versionEndExcluding": "2021-12-13", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:logo\\!_soft_comfort:*:*:*:*:*:*:*:*", "matchCriteriaId": "2AC8AB52-F4F4-440D-84F5-2776BFE1957A", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AF6D774-AC8C-49CA-A00B-A2740CA8FA91", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:mindsphere:*:*:*:*:*:*:*:*", "matchCriteriaId": "6423B1A7-F09F-421A-A0AC-3059CB89B110", "versionEndExcluding": "2021-12-11", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:navigator:*:*:*:*:*:*:*:*", "matchCriteriaId": "48C6A61B-2198-4B9E-8BCF-824643C81EC3", "versionEndExcluding": "2021-12-13", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:nx:*:*:*:*:*:*:*:*", "matchCriteriaId": "BEE2F7A1-8281-48F1-8BFB-4FE0D7E1AEF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:opcenter_intelligence:*:*:*:*:*:*:*:*", "matchCriteriaId": "C74B9880-FFF9-48CA-974F-54FB80F30D2D", "versionEndIncluding": "3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:operation_scheduler:*:*:*:*:*:*:*:*", "matchCriteriaId": "74D1F4AD-9A60-4432-864F-4505B3C60659", "versionEndIncluding": "1.1.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sentron_powermanager:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "7ABA5332-8D1E-4129-A557-FCECBAC12827", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sentron_powermanager:4.2:*:*:*:*:*:*:*", "matchCriteriaId": "9C3AA865-5570-4C8B-99DE-431AD7B163F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siguard_dsa:4.2:*:*:*:*:*:*:*", "matchCriteriaId": "00E03FB6-37F9-4559-8C86-F203D6782920", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siguard_dsa:4.3:*:*:*:*:*:*:*", "matchCriteriaId": "90439591-BA01-4007-A2B6-B316548D4595", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siguard_dsa:4.4:*:*:*:*:*:*:*", "matchCriteriaId": "E1F3B8B4-4D1B-4913-BD5F-1A04B47F829A", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*", "matchCriteriaId": "83E77D85-0AE8-41D6-AC0C-983A8B73C831", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*", "matchCriteriaId": "02B28A44-3708-480D-9D6D-DDF8C21A15EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_command:*:*:*:*:*:*:*:*", "matchCriteriaId": "2FC0A575-F771-4B44-A0C6-6A5FD98E5134", "versionEndIncluding": "4.16.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_control_pro:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D1D6B61-1F17-4008-9DFB-EF419777768E", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*", "matchCriteriaId": "9772EE3F-FFC5-4611-AD9A-8AD8304291BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*", "matchCriteriaId": "CF524892-278F-4373-A8A3-02A30FA1AFF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_vantage:*:*:*:*:*:*:*:*", "matchCriteriaId": "F30DE588-9479-46AA-8346-EA433EE83A5F", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_viewpoint:*:*:*:*:*:*:*:*", "matchCriteriaId": "4941EAD6-8759-4C72-ABA6-259C0E838216", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:solid_edge_cam_pro:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BF2708F-0BD9-41BF-8CB1-4D06C4EFB777", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:solid_edge_harness_design:*:*:*:*:*:*:*:*", "matchCriteriaId": "0762031C-DFF1-4962-AE05-0778B27324B9", "versionEndExcluding": "2020", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:solid_edge_harness_design:2020:*:*:*:*:*:*:*", "matchCriteriaId": "96271088-1D1B-4378-8ABF-11DAB3BB4DDC", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:solid_edge_harness_design:2020:-:*:*:*:*:*:*", "matchCriteriaId": "2595AD24-2DF2-4080-B780-BC03F810B9A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:solid_edge_harness_design:2020:sp2002:*:*:*:*:*:*", "matchCriteriaId": "88096F08-F261-4E3E-9EEB-2AB0225CD6F3", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:spectrum_power_4:*:*:*:*:*:*:*:*", "matchCriteriaId": "044994F7-8127-4F03-AA1A-B2AB41D68AF5", "versionEndExcluding": "4.70", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:spectrum_power_4:4.70:-:*:*:*:*:*:*", "matchCriteriaId": "A6CB3A8D-9577-41FB-8AC4-0DF8DE6A519C", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7:*:*:*:*:*:*", "matchCriteriaId": "17B7C211-6339-4AF2-9564-94C7DE52EEB7", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:spectrum_power_4:4.70:sp8:*:*:*:*:*:*", "matchCriteriaId": "DBCCBBBA-9A4F-4354-91EE-10A1460BBA3F", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:spectrum_power_7:*:*:*:*:*:*:*:*", "matchCriteriaId": "12F81F6B-E455-4367-ADA4-8A5EC7F4754A", "versionEndExcluding": "2.30", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:spectrum_power_7:2.30:*:*:*:*:*:*:*", "matchCriteriaId": "A5EF509E-3799-4718-B361-EFCBA17AEEF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:spectrum_power_7:2.30:-:*:*:*:*:*:*", "matchCriteriaId": "8CA31645-29FC-4432-9BFC-C98A808DB8CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:spectrum_power_7:2.30:sp2:*:*:*:*:*:*", "matchCriteriaId": "BB424991-0B18-4FFC-965F-FCF4275F56C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:teamcenter:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B209EFE-77F2-48CD-A880-ABA0A0A81AB1", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:tracealertserverplus:*:*:*:*:*:*:*:*", "matchCriteriaId": "6340621E-0FAF-4684-B457-E621E51E13A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:vesys:*:*:*:*:*:*:*:*", "matchCriteriaId": "72D238AB-4A1F-458D-897E-2C93DCD7BA6C", "versionEndExcluding": "2019.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:vesys:2019.1:*:*:*:*:*:*:*", "matchCriteriaId": "9778339A-EA93-4D18-9A03-4EB4CBD25459", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:vesys:2019.1:-:*:*:*:*:*:*", "matchCriteriaId": "1747F127-AB45-4325-B9A1-F3D12E69FFC8", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:vesys:2019.1:sp1912:*:*:*:*:*:*", "matchCriteriaId": "18BBEF7C-F686-4129-8EE9-0F285CE38845", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:xpedition_enterprise:-:*:*:*:*:*:*:*", "matchCriteriaId": "AD525494-2807-48EA-AED0-11B9CB5A6A9B", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:xpedition_package_integrator:-:*:*:*:*:*:*:*", "matchCriteriaId": "1EDCBF98-A857-48BC-B04D-6F36A1975AA5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5BAA8A5-74B3-48EB-8287-302927197A4E", "versionEndExcluding": "10.0.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:6bk1602-0aa12-0tp0:-:*:*:*:*:*:*:*", "matchCriteriaId": "CF99FE8F-40D0-48A8-9A40-43119B259535", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:6bk1602-0aa12-0tp0_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD64FC36-CC7B-4FD7-9845-7EA1DDB0E627", "versionEndExcluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:6bk1602-0aa22-0tp0:-:*:*:*:*:*:*:*", "matchCriteriaId": "F3F61BCB-64FA-463C-8B95-8868995EDBC0", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:6bk1602-0aa22-0tp0_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0012304-B1C8-460A-B891-42EBF96504F5", "versionEndExcluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:6bk1602-0aa32-0tp0:-:*:*:*:*:*:*:*", "matchCriteriaId": "B5A189B7-DDBF-4B84-997F-637CEC5FF12B", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:6bk1602-0aa32-0tp0_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B02BCF56-D9D3-4BF3-85A2-D445E997F5EC", "versionEndExcluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:6bk1602-0aa42-0tp0:-:*:*:*:*:*:*:*", "matchCriteriaId": "035AFD6F-E560-43C8-A283-8D80DAA33025", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:6bk1602-0aa42-0tp0_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A2DB5BA-1065-467A-8FB6-81B5EC29DC0C", "versionEndExcluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:6bk1602-0aa52-0tp0:-:*:*:*:*:*:*:*", "matchCriteriaId": "4594FF76-A1F8-4457-AE90-07D051CD0DCB", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:6bk1602-0aa52-0tp0_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "809EB87E-561A-4DE5-9FF3-BBEE0FA3706E", "versionEndExcluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default."}, {"lang": "es", "value": "Se descubri\u00f3 que la correcci\u00f3n para abordar CVE-2021-44228 en Apache Log4j versiones 2.15.0 estaba incompleta en ciertas configuraciones no predeterminadas. Esto podr\u00eda permitir a los atacantes con control sobre los datos de entrada de Thread Context Map (MDC) cuando la configuraci\u00f3n de registro utiliza un Pattern Layout no predeterminado con un Context Lookup (por ejemplo, $${ctx:loginId}) o un Thread Context Map pattern (%X, %mdc, o %MDC) para elaborar datos de entrada maliciosos utilizando un patr\u00f3n JNDI Lookup que resulta en una fuga de informaci\u00f3n y ejecuci\u00f3n de c\u00f3digo remoto en algunos entornos y ejecuci\u00f3n de c\u00f3digo local en todos los entornos. Log4j versiones 2.16.0 (Java 8) y 2.12.2 (Java 7) solucionan este problema eliminando el soporte para los patrones de b\u00fasqueda de mensajes y deshabilitando la funcionalidad JNDI por defecto"}], "id": "CVE-2021-45046", "lastModified": "2025-10-27T17:35:56.240", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2021-12-14T19:15:07.733", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Mitigation", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"}, {"source": "security@apache.org", "tags": ["Mailing List", "Release Notes"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/"}, {"source": "security@apache.org", "tags": ["Mailing List", "Release Notes"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/"}, {"source": "security@apache.org", "tags": ["Mitigation", "Release Notes", "Vendor Advisory"], "url": "https://logging.apache.org/log4j/2.x/security.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202310-16"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"}, {"source": "security@apache.org", "tags": ["Not Applicable"], "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-5022"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/930724"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Mitigation", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Release Notes"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Release Notes"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Release Notes", "Vendor Advisory"], "url": "https://logging.apache.org/log4j/2.x/security.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202310-16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable"], "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-5022"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/930724"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-917"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-917"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:1299", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "impact": "low", "package": "log4j-core", "product_name": "EAP 7.4.4 release", "release_date": "2022-04-11T00:00:00Z"}, {"advisory": "RHSA-2022:0216", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "impact": "low", "package": "log4j-core", "product_name": "EAP 7.4 log4j async", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2021:5137", "cpe": "cpe:/a:redhat:logging:5.0::el8", "package": "openshift-logging/elasticsearch6-rhel8:v5.0.10-1", "product_name": "OpenShift Logging 5.0", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2021:5128", "cpe": "cpe:/a:redhat:logging:5.1::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-67", "product_name": "OpenShift Logging 5.1", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2021:5127", "cpe": "cpe:/a:redhat:logging:5.2::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-66", "product_name": "OpenShift Logging 5.2", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2021:5129", "cpe": "cpe:/a:redhat:logging:5.3::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-65", "product_name": "OpenShift Logging 5.3", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2022:0138", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Red Hat AMQ Streams 2.0.0", "release_date": "2022-01-13T00:00:00Z"}, {"advisory": "RHSA-2022:0205", "cpe": "cpe:/a:redhat:jboss_data_grid:8.2", "package": "log4j-core", "product_name": "Red Hat Data Grid 8.2.3", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0203", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "log4j-core", "product_name": "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0222", "cpe": "cpe:/a:redhat:camel_quarkus:2.2", "package": "log4j-core", "product_name": "Red Hat Integration Camel Extensions for Quarkus 2.2", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0223", "cpe": "cpe:/a:redhat:integration:1", "package": "log4j-core", "product_name": "Red Hat Integration Camel-K 1.6.3", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2022:1297", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "impact": "low", "package": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2022-04-11T00:00:00Z"}, {"advisory": "RHSA-2022:1296", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "impact": "low", "package": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2022-04-11T00:00:00Z"}, {"advisory": "RHSA-2021:5094", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-logging-elasticsearch5:v3.11.570-2.gd119820", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2021:5106", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "openshift4/ose-logging-elasticsearch6:v4.6.0-202112132021.p0.g2a13a81.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-12-16T00:00:00Z"}, {"advisory": "RHSA-2021:5106", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "openshift4/ose-metering-hive:v4.6.0-202112140546.p0.g8b9da97.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-12-16T00:00:00Z"}, {"advisory": "RHSA-2021:5141", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "openshift4/ose-metering-presto:v4.6.0-202112150545.p0.g190688a.assembly.art3595", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-12-16T00:00:00Z"}, {"advisory": "RHSA-2021:5107", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-12-16T00:00:00Z"}, {"advisory": "RHSA-2021:5107", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-12-16T00:00:00Z"}, {"advisory": "RHSA-2021:5108", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "openshift4/ose-metering-hive:v4.8.0-202112132154.p0.g57dd03a.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2021:5148", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:0083", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "log4j-core", "product_name": "Vert.x 4.1.8", "release_date": "2022-01-20T00:00:00Z"}], "bugzilla": {"description": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "id": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "(CWE-20|CWE-502)->CWE-400", "details": ["It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.", "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments."], "mitigation": {"lang": "en:us", "value": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class)."}, "name": "CVE-2021-45046", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "log4j-core", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Not affected", "package_name": "log4j-core", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Affected", "package_name": "log4j-core", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "log4j-core", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "parfait:0.5/log4j12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "log4j-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "log4j-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "log4j-over-slf4j", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "log4j-core", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-java-common-log4j", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-maven35-log4j12", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-maven36-log4j12", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "log4j-core", "product_name": "streams for Apache Kafka"}], "public_date": "2021-12-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-45046\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-45046\nhttps://access.redhat.com/security/cve/CVE-2021-44228\nhttps://logging.apache.org/log4j/2.x/security.html\nhttps://www.openwall.com/lists/oss-security/2021/12/14/4\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog"], "statement": "Although we have matched Apache's CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \nPrerequisites to exploit this flaw are :\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "threat_severity": "Moderate"}

{}