Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
CVE-2021-45046

9CRITICAL

Key Information:

Vendor: Apache
Status: Apache Log4j
Vendor: CVE Published:; 14 December 2021

Badges

💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 96%🦅 CISA Reported

Summary

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

Apache Log4j Apache Log4j2 < 2.16.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

log4j2_vul_local_scanner
Created by lijiejie

Log4j_CVE-2021-45046
Created by cckuailong

log4j-samples
Created by mergebase