CVE-2021-45046

Public on 2021-12-14
Modified on 2023-01-18
Description
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, 9392{ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Severity
Critical severity
Critical
CVSS v3 Base Score
9.0
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core aws-kinesis-agent 2021-12-16 ALAS2-2021-1730 Fixed
Amazon Linux 1 java-1.6.0-openjdk 2021-12-17 ALAS-2021-1553 Fixed
Amazon Linux 1 java-1.7.0-openjdk 2021-12-17 ALAS-2021-1553 Fixed
Amazon Linux 2 - Core java-1.7.0-openjdk 2021-12-17 ALAS2-2021-1731 Fixed
Amazon Linux 2 - Corretto8 Extra java-1.8.0-amazon-corretto 2021-12-17 ALAS2CORRETTO8-2021-001 Fixed
Amazon Linux 1 java-1.8.0-openjdk 2021-12-17 ALAS-2021-1553 Fixed
Amazon Linux 2 - Core java-1.8.0-openjdk 2021-12-17 ALAS2-2021-1731 Fixed
Amazon Linux 2 - Core java-11-amazon-corretto 2021-12-17 ALAS2-2021-1731 Fixed
Amazon Linux 2 - Java-openjdk11 Extra java-11-openjdk 2021-12-17 ALAS2JAVA-OPENJDK11-2021-001 Fixed
Amazon Linux 2 - Core java-17-amazon-corretto 2021-12-17 ALAS2-2021-1731 Fixed
Amazon Linux 2023 log4j Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 9.0 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD CVSSv3 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD CVSSv2 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P

References

Red Hat: CVE-2021-45046 Mitre: CVE-2021-45046