It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
References
Link Providers
http://www.openwall.com/lists/oss-security/2021/12/14/4 cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2021/12/15/3 cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2021/12/18/1 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2021-44228 cve-icon
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf cve-icon cve-icon
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf cve-icon cve-icon
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf cve-icon cve-icon
https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/ cve-icon cve-icon
https://logging.apache.org/log4j/2.x/security.html cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2021-45046 cve-icon
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 cve-icon cve-icon
https://security.gentoo.org/glsa/202310-16 cve-icon cve-icon
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd cve-icon cve-icon
https://www.cisa.gov/known-exploited-vulnerabilities-catalog cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-44228 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-45046 cve-icon
https://www.debian.org/security/2021/dsa-5022 cve-icon cve-icon
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html cve-icon cve-icon
https://www.kb.cert.org/vuls/id/930724 cve-icon cve-icon
https://www.openwall.com/lists/oss-security/2021/12/14/4 cve-icon
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuapr2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujul2022.html cve-icon cve-icon
History

Thu, 31 Oct 2024 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Cvat
Cvat computer Vision Annotation Tool
CPEs cpe:2.3:a:intel:computer_vision_annotation_tool:-:*:*:*:*:*:*:* cpe:2.3:a:cvat:computer_vision_annotation_tool:-:*:*:*:*:*:*:*
Vendors & Products Intel computer Vision Annotation Tool
Cvat
Cvat computer Vision Annotation Tool

Wed, 14 Aug 2024 00:45:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2021-12-14T16:55:09

Updated: 2024-08-04T04:32:13.624Z

Reserved: 2021-12-14T00:00:00

Link: CVE-2021-45046

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-12-14T19:15:07.733

Modified: 2024-11-21T06:31:51.470

Link: CVE-2021-45046

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-12-14T00:00:00Z

Links: CVE-2021-45046 - Bugzilla