QwikSec

Security Database

CVE

CWE

Training

CVE-2021-45046

Published: Dec 14, 2021

Modified: Oct 21, 2025

PUBLISHED

Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Vendor	Product	Versions
Apache Software Foundation	Apache Log4j	affected `Apache Log4j2 - < 2.16.0`

Weaknesses (CWE)

References

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032

x_refsource_CONFIRM

https://www.oracle.com/security-alerts/alert-cve-2021-44228.html

x_refsource_CONFIRM

https://www.cve.org/CVERecord?id=CVE-2021-44228

x_refsource_MISC

[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

mailing-list

x_refsource_MLIST

https://logging.apache.org/log4j/2.x/security.html

x_refsource_CONFIRM

third-party-advisory

x_refsource_CERT-VN

https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf

x_refsource_CONFIRM

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html

x_refsource_CONFIRM

20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021

vendor-advisory

x_refsource_CISCO

[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

mailing-list

x_refsource_MLIST

https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf

x_refsource_CONFIRM

vendor-advisory

x_refsource_DEBIAN

[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

mailing-list

x_refsource_MLIST

https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf

x_refsource_CONFIRM

https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf

x_refsource_CONFIRM

FEDORA-2021-5c9d12a93e

vendor-advisory

x_refsource_FEDORA

FEDORA-2021-abbe24e41c

vendor-advisory

x_refsource_FEDORA

https://www.oracle.com/security-alerts/cpujan2022.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpuapr2022.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpujul2022.html

x_refsource_MISC

https://security.gentoo.org/glsa/202310-16

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.