CVE-2021-45046

Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

Basic Information

CVE State: PUBLISHED
Reserved Date: December 14, 2021
Published Date: December 14, 2021
Last Updated: February 13, 2025
Vendor: Apache Software Foundation
Product: Apache Log4j
Description: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Tags

CVSS Scores

CVSS v3.1

9.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v2.0

5.1

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2023-05-01 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2021-12-15 16:28:11 UTC) Source
Used in Malware: Yes (added 2023-05-01 00:00:00 UTC) Source

References

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 https://www.oracle.com/security-alerts/alert-cve-2021-44228.html https://www.cve.org/CVERecord?id=CVE-2021-44228 http://www.openwall.com/lists/oss-security/2021/12/14/4 https://logging.apache.org/log4j/2.x/security.html https://www.kb.cert.org/vuls/id/930724 https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd http://www.openwall.com/lists/oss-security/2021/12/15/3 https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf https://www.debian.org/security/2021/dsa-5022 http://www.openwall.com/lists/oss-security/2021/12/18/1 https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/ https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://security.gentoo.org/glsa/202310-16

Known Exploited Vulnerability Information

Source	Added Date
CISA	2023-05-01 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-45046.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

tejas-nagchandi/CVE-2021-45046

Type: github • Created: 2021-12-15 16:28:11 UTC • Stars: 0

Replicating CVE-2021-45046

BobTheShoplifter/CVE-2021-45046-Info

Type: github • Created: 2021-12-15 09:01:37 UTC • Stars: 4

Oh no another one

cckuailong/Log4j_CVE-2021-45046

Type: github • Created: 2021-12-15 05:48:53 UTC • Stars: 20

Log4j 2.15.0 Privilege Escalation -- CVE-2021-45046

Timeline

CVE ID Reserved

December 14, 2021
CVE Published to Public

December 14, 2021
Proof of Concept Exploit Available

December 15, 2021
Exploit Used in Malware

May 01, 2023
Added to KEVIntel

May 01, 2023
Detected by Nuclei

April 26, 2025