Catch vulnerabilities in your projects, automatically on every pull request. Try Sonatype Lift for free. Install Lift

Vulnerability

CVE-2021-45046
CVSS Score 3.7 Moderate

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

Low

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

Not Recorded

Description

[CVE-2021-45046] It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was i...

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). =================================================== The following information is provided by Sonatype Nexus Intelligence. Nexus Intelligence is the only security research service that performs "secondary expansion" to determine if newly discovered vulnerabilities are also present in other components. Learn more about Nexus Intelligence -- https://www.sonatype.com/products/intelligence =================================================== Explanation --------------------------------------------------- The `log4j-core` package is vulnerable to the Use of an Externally-Controlled Format String. The `format()` method in the `MessagePatternConverter` and `MessagePatternConverter$LookupMessagePatternConverter` classes allow `JNDI LDAP` lookups to be made to remote hosts by default while logging application events. If the data retrieved is used to control the input data utilized in `Thread Context Maps` or `Context Lookups`, an attacker with control over a logged value may craft a malicious JNDI lookup string that causes `log4j` to crash. This may result in undefined behavior in applications utilizing `log4j-core`, and can lead to a Denial of Service (DoS) condition. Note: This vulnerability is a follow-up to CVE-2021-44228 to address the DoS attack vector. Detection --------------------------------------------------- The application is vulnerable by using this component. Recommendation --------------------------------------------------- We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control. Mitigating controls from the project advisory: * Java 8 (or later) users should upgrade to release 2.16.0. * Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon). * Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class Reference: https://logging.apache.org/log4j/2.x/security.html

Sign in and get help with:

  • Vulnerability details for your components
  • Affected components
  • Affected versions