We have detected a critical security vulnerability (CVE-2021-45046) in Apache Log4j components used by WebAPI. This vulnerability allows attackers to exploit incomplete fixes for CVE-2021-44228 in certain non-default configurations, potentially leading to Remote Code Execution (RCE) and information disclosure.
Details:
- CVE: CVE-2021-45046
- Severity: Critical
- Affected Components: log4j-core versions:
- 2.2 (WEBAPI 2.14.0 uses this version)
- 2.13.3
- 2.14.0
- Exploit Availability: Confirmed
Description:
The fix for CVE-2021-44228 in Log4j 2.15.0 was incomplete. Attackers can manipulate Thread Context Map (MDC) input data when logging configuration uses non-default Pattern Layout with Context Lookup (e.g., $ {ctx:loginId}) or Thread Context Map patterns (%X, %mdc, %MDC). This can result in malicious JNDI lookups, leading to RCE or sensitive data leaks.
Recommended Fix:
- Upgrade to patched versions:
- 2.12.2
- 2.16.0 (or higher)
We have detected a critical security vulnerability (CVE-2021-45046) in Apache Log4j components used by WebAPI. This vulnerability allows attackers to exploit incomplete fixes for CVE-2021-44228 in certain non-default configurations, potentially leading to Remote Code Execution (RCE) and information disclosure.
Details:
Description:
The fix for CVE-2021-44228 in Log4j 2.15.0 was incomplete. Attackers can manipulate Thread Context Map (MDC) input data when logging configuration uses non-default Pattern Layout with Context Lookup (e.g., $ {ctx:loginId}) or Thread Context Map patterns (%X, %mdc, %MDC). This can result in malicious JNDI lookups, leading to RCE or sensitive data leaks.
Recommended Fix: