CVE-2021-45046
Remote Code Execution vulnerability in org.apache.logging.log4j:log4j-core
What is CVE-2021-45046 About?
Apache Log4j 2.15.0 has an incomplete fix for CVE-2021-44228, allowing Remote Code Execution (RCE) in specific non-default configurations. Attackers with control over Thread Context Map (MDC) input can craft malicious JNDI Lookup patterns. Exploitation is moderately difficult, requiring control over MDC input and a vulnerable configuration.
Affected Software
- org.apache.logging.log4j:log4j-core
- >2.13.0, <2.16.0
- <2.12.2
- org.ops4j.pax.logging:pax-logging-log4j2
- >2.0.0, <2.0.12
- >1.8.0, <1.9.2
- >1.11.0, <1.11.11
- >1.10.0, <1.10.8
Technical Details
This vulnerability affects Apache Log4j versions 2.15.0 due to an incomplete fix for CVE-2021-44228. It specifically impacts non-default configurations where a Pattern Layout with a Context Lookup (e.g., `${ctx:loginId}`) or a Thread Context Map pattern (`%X`, `%mdc`, or `%MDC`) is used. An attacker with control over the Thread Context Map (MDC) input data can inject a malicious JNDI Lookup pattern into this data. When Log4j processes this crafted MDC input, the JNDI Lookup is performed, potentially allowing an attacker to execute arbitrary code remotely. This RCE is triggered by the deserialization of objects from an attacker-controlled remote server, similar to the original Log4j RCE, but specifically through the MDC logging mechanism. Log4j 2.16.0 addresses this by removing support for message lookup patterns and disabling JNDI by default.
What is the Impact of CVE-2021-45046?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the affected application, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2021-45046?
Exploitation complexity is moderate. A key prerequisite is that an attacker must have control over the Thread Context Map (MDC) input data, which might require some level of access or ability to influence a user's session or application state. Additionally, the logging configuration must be non-default, specifically using a Pattern Layout with a Context Lookup or Thread Context Map pattern. Remote exploitation is possible if the attacker can influence the MDC data over a network. There are no explicit authentication or high privilege requirements beyond the ability to control the MDC input. The main constraint is the specific configuration of Log4j and the attacker's ability to manipulate the MDC. The risk of exploitation increases if an application widely uses MDC for user-controlled data that is then logged, and if administrators have not updated to versions that disable JNDI lookups by default or removed the JndiLookup class.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| lijiejie | Link | Log4j 漏洞本地检测脚本。 Scan all java processes on your host to check whether it's affected by log4j2 remote code execution vulnerability (CVE-2021-45046) |
| cckuailong | Link | Log4j 2.15.0 Privilege Escalation -- CVE-2021-45046 |
| mergebase | Link | Public testing data. Samples of log4j library versions to help log4j scanners / detectors improve their accuracy for detecting CVE-2021-45046 and CVE-2021-44228. TAG_TESTING, OWNER_KEN, DC_PUBLIC |
What are the Available Fixes for CVE-2021-45046?
Available Upgrade Options
- org.apache.logging.log4j:log4j-core
- <2.12.2 → Upgrade to 2.12.2
- org.apache.logging.log4j:log4j-core
- >2.13.0, <2.16.0 → Upgrade to 2.16.0
- org.ops4j.pax.logging:pax-logging-log4j2
- >1.8.0, <1.9.2 → Upgrade to 1.9.2
- org.ops4j.pax.logging:pax-logging-log4j2
- >1.10.0, <1.10.8 → Upgrade to 1.10.8
- org.ops4j.pax.logging:pax-logging-log4j2
- >1.11.0, <1.11.11 → Upgrade to 1.11.11
- org.ops4j.pax.logging:pax-logging-log4j2
- >2.0.0, <2.0.12 → Upgrade to 2.0.12
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://logging.apache.org/log4j/2.x/security.html
- http://www.openwall.com/lists/oss-security/2021/12/15/3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/
- https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
- http://www.openwall.com/lists/oss-security/2021/12/15/3
- https://nvd.nist.gov/vuln/detail/CVE-2021-45046
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ
What are Similar Vulnerabilities to CVE-2021-45046?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2021-44832 , CVE-2022-23305 , CVE-2022-23307 , CVE-2022-23302
