/

CVE-2021-45046 Report - Details, Severity, & Advisorie...

CVE-2021-45046 Report - Details, Severity, & Advisories

Twingate Team

Jan 18, 2024

CVE-2021-45046 is a critical vulnerability affecting Apache Log4j, a widely used logging library in various systems and applications. This vulnerability is related to an incomplete fix for a previous issue (CVE-2021-44228) in certain non-default configurations. Attackers with control over Thread Context Map (MDC) input data can exploit this vulnerability, potentially leading to information leaks, remote code execution in some environments, and local code execution in all environments. The issue has been fixed in Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7).

How do I know if I'm affected?

If you're using Apache Log4j, you might be affected by the vulnerability. This issue impacts Log4j versions from 2.0.1 to 2.12.2 (Java 7) and from 2.13.0 to 2.16.0 (Java 8). You could be at risk if your logging configuration uses a non-default Pattern Layout with either a Context Lookup or a Thread Context Map pattern, and an attacker can control the input data. This vulnerability can lead to information leaks, remote code execution in some environments, and local code execution in all environments.

What should I do if I'm affected?

If you're affected by the vulnerability, it's crucial to update your Apache Log4j to version 2.16.0 (Java 8) or 2.12.2 (Java 7) to fix the issue. This update removes support for message lookup patterns and disables JNDI functionality by default, mitigating the vulnerability. Always keep your software up-to-date to protect against potential threats.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

Yes, it is included in CISA's Known Exploited Vulnerabilities Catalog. The vulnerability is called "Apache Log4j2 Deserialization of Untrusted Data Vulnerability" and was added on May 1, 2023. Organizations have until May 22, 2023, to address the vulnerability by applying updates according to vendor instructions.

Weakness enumeration

The weakness enumeration for this vulnerability is categorized as CWE-917, allowing attackers to exploit special elements in expression language statements, potentially causing denial of service attacks or remote code execution. Patching is recommended for mitigation.

For more details

CVE-2021-45046 is a critical vulnerability in Apache Log4j, with potential consequences such as information leaks and remote code execution. To gain a deeper understanding of this vulnerability, including its technical details, severity, and affected software configurations, refer to the NVD page or the links below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

/

CVE-2021-45046 Report - Details, Severity, & Advisorie...

CVE-2021-45046 Report - Details, Severity, & Advisories

Twingate Team

Jan 18, 2024

CVE-2021-45046 is a critical vulnerability affecting Apache Log4j, a widely used logging library in various systems and applications. This vulnerability is related to an incomplete fix for a previous issue (CVE-2021-44228) in certain non-default configurations. Attackers with control over Thread Context Map (MDC) input data can exploit this vulnerability, potentially leading to information leaks, remote code execution in some environments, and local code execution in all environments. The issue has been fixed in Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7).

How do I know if I'm affected?

If you're using Apache Log4j, you might be affected by the vulnerability. This issue impacts Log4j versions from 2.0.1 to 2.12.2 (Java 7) and from 2.13.0 to 2.16.0 (Java 8). You could be at risk if your logging configuration uses a non-default Pattern Layout with either a Context Lookup or a Thread Context Map pattern, and an attacker can control the input data. This vulnerability can lead to information leaks, remote code execution in some environments, and local code execution in all environments.

What should I do if I'm affected?

If you're affected by the vulnerability, it's crucial to update your Apache Log4j to version 2.16.0 (Java 8) or 2.12.2 (Java 7) to fix the issue. This update removes support for message lookup patterns and disables JNDI functionality by default, mitigating the vulnerability. Always keep your software up-to-date to protect against potential threats.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

Yes, it is included in CISA's Known Exploited Vulnerabilities Catalog. The vulnerability is called "Apache Log4j2 Deserialization of Untrusted Data Vulnerability" and was added on May 1, 2023. Organizations have until May 22, 2023, to address the vulnerability by applying updates according to vendor instructions.

Weakness enumeration

The weakness enumeration for this vulnerability is categorized as CWE-917, allowing attackers to exploit special elements in expression language statements, potentially causing denial of service attacks or remote code execution. Patching is recommended for mitigation.

For more details

CVE-2021-45046 is a critical vulnerability in Apache Log4j, with potential consequences such as information leaks and remote code execution. To gain a deeper understanding of this vulnerability, including its technical details, severity, and affected software configurations, refer to the NVD page or the links below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

CVE-2021-45046 Report - Details, Severity, & Advisories

Twingate Team

Jan 18, 2024

CVE-2021-45046 is a critical vulnerability affecting Apache Log4j, a widely used logging library in various systems and applications. This vulnerability is related to an incomplete fix for a previous issue (CVE-2021-44228) in certain non-default configurations. Attackers with control over Thread Context Map (MDC) input data can exploit this vulnerability, potentially leading to information leaks, remote code execution in some environments, and local code execution in all environments. The issue has been fixed in Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7).

How do I know if I'm affected?

If you're using Apache Log4j, you might be affected by the vulnerability. This issue impacts Log4j versions from 2.0.1 to 2.12.2 (Java 7) and from 2.13.0 to 2.16.0 (Java 8). You could be at risk if your logging configuration uses a non-default Pattern Layout with either a Context Lookup or a Thread Context Map pattern, and an attacker can control the input data. This vulnerability can lead to information leaks, remote code execution in some environments, and local code execution in all environments.

What should I do if I'm affected?

If you're affected by the vulnerability, it's crucial to update your Apache Log4j to version 2.16.0 (Java 8) or 2.12.2 (Java 7) to fix the issue. This update removes support for message lookup patterns and disables JNDI functionality by default, mitigating the vulnerability. Always keep your software up-to-date to protect against potential threats.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

Yes, it is included in CISA's Known Exploited Vulnerabilities Catalog. The vulnerability is called "Apache Log4j2 Deserialization of Untrusted Data Vulnerability" and was added on May 1, 2023. Organizations have until May 22, 2023, to address the vulnerability by applying updates according to vendor instructions.

Weakness enumeration

The weakness enumeration for this vulnerability is categorized as CWE-917, allowing attackers to exploit special elements in expression language statements, potentially causing denial of service attacks or remote code execution. Patching is recommended for mitigation.

For more details

CVE-2021-45046 is a critical vulnerability in Apache Log4j, with potential consequences such as information leaks and remote code execution. To gain a deeper understanding of this vulnerability, including its technical details, severity, and affected software configurations, refer to the NVD page or the links below.